SB2025030344 - Multiple vulnerabilities in Qualcomm chipsets

Description

This security bulletin contains information about 27 secuirty vulnerabilities.

1) Improper input validation (CVE-ID: CVE-2024-53029)

The vulnerability allows a local application to execute arbitrary code.

The vulnerability exists due to improper input validation in Automotive OS Platform. A local application can execute arbitrary code.

2) Buffer overflow (CVE-ID: CVE-2024-53027)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation in WLAN Host. A remote attacker can perform a denial of service (DoS) attack.

3) NULL Pointer Dereference (CVE-ID: CVE-2024-53024)

The vulnerability allows a local application to execute arbitrary code.

The vulnerability exists due to improper input validation in Display. A local application can execute arbitrary code.

4) Use After Free (CVE-ID: CVE-2024-53023)

The vulnerability allows a local application to execute arbitrary code.

The vulnerability exists due to improper input validation in Automotive Android OS. A local application can execute arbitrary code.

5) Improper Validation of Array Index (CVE-ID: CVE-2024-53014)

The vulnerability allows a local application to execute arbitrary code.

The vulnerability exists due to improper input validation in Audio. A local application can execute arbitrary code.

6) Improper Validation of Array Index (CVE-ID: CVE-2024-49836)

The vulnerability allows a local application to execute arbitrary code.

The vulnerability exists due to improper input validation in Camera. A local application can execute arbitrary code.

7) Use After Free (CVE-ID: CVE-2024-45580)

The vulnerability allows a local application to execute arbitrary code.

The vulnerability exists due to improper input validation in DSP Service. A local application can execute arbitrary code.

8) Integer overflow (CVE-ID: CVE-2024-53025)

The vulnerability allows a local application to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation in BT Controller. A local application can perform a denial of service (DoS) attack.

9) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2024-53011)

The vulnerability allows a local privileged application to read and manipulate data.

The vulnerability exists due to improper input validation in Video Analytics and Processing. A local privileged application can read and manipulate data.

10) Time-of-check Time-of-use (TOCTOU) Race Condition (CVE-ID: CVE-2024-53032)

The vulnerability allows a local application to execute arbitrary code.

The vulnerability exists due to improper input validation in Automotive OS Platform. A local application can execute arbitrary code.

11) Improper input validation (CVE-ID: CVE-2024-53031)

The vulnerability allows a local application to execute arbitrary code.

The vulnerability exists due to improper input validation in Automotive OS Platform. A local application can execute arbitrary code.

12) Improper input validation (CVE-ID: CVE-2024-53030)

The vulnerability allows a local application to execute arbitrary code.

The vulnerability exists due to improper input validation in Automotive OS Platform. A local application can execute arbitrary code.

13) Time-of-check Time-of-use (TOCTOU) Race Condition (CVE-ID: CVE-2024-53028)

The vulnerability allows a local application to execute arbitrary code.

The vulnerability exists due to improper input validation in Automotive Vehicle Networks. A local application can execute arbitrary code.

14) Improper Authorization (CVE-ID: CVE-2024-43051)

The vulnerability allows a local application to gain access to sensitive information.

The vulnerability exists due to improper input validation in SPS-HLOS. A local application can gain access to sensitive information.

15) Improper input validation (CVE-ID: CVE-2024-53022)

The vulnerability allows a local application to execute arbitrary code.

The vulnerability exists due to improper input validation in Automotive OS Platform. A local application can execute arbitrary code.

16) Improper input validation (CVE-ID: CVE-2024-53012)

The vulnerability allows a local application to execute arbitrary code.

The vulnerability exists due to improper input validation in Automotive OS Platform. A local application can execute arbitrary code.

17) Use After Free (CVE-ID: CVE-2024-43062)

The vulnerability allows a local application to execute arbitrary code.

The vulnerability exists due to improper input validation in Camera Linux. A local application can execute arbitrary code.

18) Use After Free (CVE-ID: CVE-2024-43061)

The vulnerability allows a local application to execute arbitrary code.

The vulnerability exists due to improper input validation in Audio. A local application can execute arbitrary code.

19) Use of Out-of-range Pointer Offset (CVE-ID: CVE-2024-43060)

The vulnerability allows a local application to execute arbitrary code.

The vulnerability exists due to improper input validation in Automotive Audio. A local application can execute arbitrary code.

20) Use After Free (CVE-ID: CVE-2024-43059)

The vulnerability allows a local application to execute arbitrary code.

The vulnerability exists due to improper input validation in Automotive Multimedia. A local application can execute arbitrary code.

21) Use After Free (CVE-ID: CVE-2024-43057)

The vulnerability allows a local application to execute arbitrary code.

The vulnerability exists due to improper input validation in MProc. A local application can execute arbitrary code.

22) Buffer over-read (CVE-ID: CVE-2024-43056)

The vulnerability allows a local application to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation in Hypervisor. A local application can perform a denial of service (DoS) attack.

23) Buffer overflow (CVE-ID: CVE-2024-43055)

The vulnerability allows a local application to execute arbitrary code.

The vulnerability exists due to improper input validation in Camera_Linux. A local application can execute arbitrary code.

24) Improper Authentication (CVE-ID: CVE-2024-38426)

The vulnerability allows a remote attacker to read memory contents or crash the system.

The vulnerability exists due to improper input validation in Modem. A remote attacker can read memory contents or crash the system.

25) Use After Free (CVE-ID: CVE-2025-21424)

The vulnerability allows a local application to execute arbitrary code.

The vulnerability exists due to improper input validation in NPU. A local application can execute arbitrary code.

26) Untrusted Pointer Dereference (CVE-ID: CVE-2024-53034)

The vulnerability allows a local application to execute arbitrary code.

The vulnerability exists due to improper input validation in DSP_Services. A local application can execute arbitrary code.

27) Untrusted Pointer Dereference (CVE-ID: CVE-2024-53033)

The vulnerability allows a local application to execute arbitrary code.

The vulnerability exists due to improper input validation in DSP_Services. A local application can execute arbitrary code.

Remediation

Install update from vendor's website.

References

• https://docs.qualcomm.com/product/publicresources/securitybulletin/march-2025-bulletin.html