Qualcomm

Qualcomm is warning of three zero-day vulnerabilities in its GPU and Compute DSP drivers that hackers are actively exploiting in attacks.

The American semiconductor company was told by Google's Threat Analysis Group (TAG) and Project Zero teams that CVE-2023-33106, CVE-2023-33107CVE-2022-22071, and CVE-2023-33063 may be under limited, targeted exploitation.

Qualcomm says it has released security updates that address the issues in its Adreno GPU and Compute DSP drivers, and impacted OEMs were also notified.

"Patches for the issues affecting Adreno GPU and Compute DSP drivers have been made available, and OEMs have been notified with a strong recommendation to deploy security updates as soon as possible" – Qualcomm.

The CVE-2022-22071 flaw was disclosed in May 2022 and is a high-severity (CVSS v3.1: 8.4) locally exploitable use after free bug impacting popular chips like the SD855, SD865 5G, and SD888
 5G

Qualcomm has not released any details on the actively exploited CVE-2023-33106, CVE-2022-22071, and CVE-2023-33063 flaws and will provide more information in its December 2023 bulletin.

This month's security bulletin also warns of three other critical vulnerabilities:

  • CVE-2023-24855: Memory corruption in Qualcomm’s Modem component occurring when processing security-related configurations before the AS Security Exchange. (CVSS v3.1: 9.8)
  • CVE-2023-28540: Cryptographic issue in the Data Modem component arising from improper authentication during the TLS handshake. (CVSS v3.1: 9.1)
  • CVE-2023-33028: Memory corruption in the WLAN firmware occurring while copying the pmk cache memory without performing size checks. (CVSS v3.1: 9.8)

Along with the above, Qualcomm has disclosed 13 high-severity flaws and another three critical-severity vulnerabilities discovered by its engineers.

As the CVE-2023-24855, CVE-2023-2854, and CVE-2023-33028 flaws are all remotely exploitable, they are critical from a security standpoint, but there is no indication they are exploited.

Unfortunately, there isn't a lot impacted consumers can do besides applying the available updates as soon as those reach them through the usual OEM channels.

Flaws in drivers usually require local access to exploit, typically achieved through malware infections, so Android device owners are recommended to limit the number of apps they download and only source them from trustworthy repositories.

Yesterday, Arm issued a similar security advisory warning about an actively exploited flaw (CVE-2023-4211 discovered and reported to them by Google's Threat Analysis Group (TAG) and Project Zero, which impacts a wide range of Mali GPU drivers.

Related Articles:

Black Basta ransomware gang linked to Windows zero-day attacks

Check Point releases emergency fix for VPN zero-day exploited in attacks

Google Chrome emergency update fixes 6th zero-day exploited in 2024

Google fixes fifth Chrome zero-day exploited in attacks this year

Google Pixel 6 series phones bricked after factory reset