SB2024100739 - Multiple vulnerabilities in Qualcomm chipsets
Published: October 7, 2024 Updated: September 26, 2025
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 20 secuirty vulnerabilities.
1) Improper Neutralization of Directives in Statically Saved Code (\'Static Code Injection\') (CVE-ID: CVE-2024-33065)
The vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation in Camera. A local application can execute arbitrary code.
2) Buffer over-read (CVE-ID: CVE-2024-38397)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation in WLAN Host Communication. A remote attacker can perform a denial of service (DoS) attack.
3) Buffer over-read (CVE-ID: CVE-2024-33073)
The vulnerability allows a remote attacker to read and manipulate data.
The vulnerability exists due to improper input validation in WLAN Host Communication. A remote attacker can read and manipulate data.
4) Buffer over-read (CVE-ID: CVE-2024-33071)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation in WLAN Host Communication. A remote attacker can perform a denial of service (DoS) attack.
5) Buffer over-read (CVE-ID: CVE-2024-33070)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation in WLAN Host Communication. A remote attacker can perform a denial of service (DoS) attack.
6) Use After Free (CVE-ID: CVE-2024-33069)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation in WLAN Host. A remote attacker can perform a denial of service (DoS) attack.
7) Buffer over-read (CVE-ID: CVE-2024-33064)
The vulnerability allows a remote attacker to read and manipulate data.
The vulnerability exists due to improper input validation in WLAN Host Communication. A remote attacker can read and manipulate data.
8) Buffer over-read (CVE-ID: CVE-2024-33049)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation in WLAN Host Communication. A remote attacker can perform a denial of service (DoS) attack.
9) Improper Authorization (CVE-ID: CVE-2024-38425)
The vulnerability allows a local application to read and manipulate data.
The vulnerability exists due to improper input validation in Performance. A local application can read and manipulate data.
10) Memory corruption (CVE-ID: CVE-2024-23369)
The vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation in HLOS. A local application can execute arbitrary code.
11) Use After Free (CVE-ID: CVE-2024-43047)
The vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation in DSP Service. A local application can execute arbitrary code.
Note, the vulnerability is being actively exploited in the wild.
12) Buffer overflow (CVE-ID: CVE-2024-23378)
The vulnerability allows a local privileged application to execute arbitrary code.
The vulnerability exists due to improper input validation in Audio. A local privileged application can execute arbitrary code.
13) Double Free (CVE-ID: CVE-2024-23379)
The vulnerability allows a local privileged application to execute arbitrary code.
The vulnerability exists due to improper input validation in DSP Services. A local privileged application can execute arbitrary code.
14) Use After Free (CVE-ID: CVE-2024-23376)
The vulnerability allows a local privileged application to execute arbitrary code.
The vulnerability exists due to improper input validation in ComputerVision. A local privileged application can execute arbitrary code.
15) Buffer overflow (CVE-ID: CVE-2024-23375)
The vulnerability allows a local privileged application to execute arbitrary code.
The vulnerability exists due to improper input validation in RIL. A local privileged application can execute arbitrary code.
16) Stack-based buffer overflow (CVE-ID: CVE-2024-23374)
The vulnerability allows a local privileged application to execute arbitrary code.
The vulnerability exists due to improper input validation in Power Management IC. A local privileged application can execute arbitrary code.
17) Use After Free (CVE-ID: CVE-2024-23370)
The vulnerability allows a local privileged application to execute arbitrary code.
The vulnerability exists due to improper input validation in Automotive Multimedia. A local privileged application can execute arbitrary code.
18) Use After Free (CVE-ID: CVE-2024-38399)
The vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation in Graphics. A local application can execute arbitrary code.
19) Untrusted Pointer Dereference (CVE-ID: CVE-2024-21455)
The vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation in DSP Service. A local application can execute arbitrary code.
20) Improper Neutralization of Directives in Statically Saved Code (\'Static Code Injection\') (CVE-ID: CVE-2024-33066)
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to improper input validation in WLAN Resource Manager. A remote attacker can execute arbitrary code.
Remediation
Install update from vendor's website.