Qualcomm releases a series of security patches and urges users to update immediately.
The chip manufacturer presents solutions for 20 vulnerabilities.
Qualcomm has released nearly twenty patches aimed at multiple products, addressing, among other issues, a vulnerability believed to be exploited by state-sponsored attackers. In the security advisory published by the company, 20 patches are detailed that correct flaws affecting various chipsets, among which CVE-2024-43047 stands out, a high-severity error (scoring 7.8) described as “memory corruption while maintaining high-level operating system memory maps.”
This flaw mainly affects Snapdragon 660 devices and later models, as well as 5G modems and FastConnect 6700, 6800, 6900, and 7800 Wi-Fi/Bluetooth kits. Qualcomm emphasized that this vulnerability had already been previously mentioned by Google’s Threat Analysis Group (TAG), the company’s security division responsible for analyzing zero-day vulnerabilities exploited by state actors and other government-sponsored groups.
“There is evidence from Google’s Threat Analysis Group that CVE-2024-43047 may be being exploited in a limited and specific manner,” states the advisory. “Patches for the issue affecting the FASTRPC driver have been made available to original equipment manufacturers, along with a strong recommendation to deploy the update on affected devices as soon as possible.”
Another significant flaw in this batch is CVE-2024-33066, defined as “memory corruption when redirecting a log file to any file location with any file name.” It has a severity rating of 9.8, classifying it as critical, although there is still no evidence that it has been abused in the wild.
As one of the leading chip manufacturers, Qualcomm is frequently in the crosshairs of cybercriminals. Approximately a year ago, the company identified multiple flaws in the Ardeno GPU and Compute DSP drivers (once again, after being alerted by Google’s TAG), which were also being used in “limited and specific exploitations.” On that occasion, it was indicated that the vulnerabilities were likely abused by state-sponsored actors in espionage and data exfiltration attacks.
In both cases, Qualcomm has urged its customers to apply the available patches as soon as possible.
