SB2025050640 - Multiple vulnerabilities in Qualcomm chipsets
Published: May 6, 2025
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 35 secuirty vulnerabilities.
1) Improper input validation (CVE-ID: CVE-2024-49845)
The vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation in HLOS. A local application can execute arbitrary code.
2) Use After Free (CVE-ID: CVE-2024-45583)
The vulnerability allows a local application to read, manipulate or delete data.
The vulnerability exists due to improper input validation in Secure Processor. A local application can read, manipulate or delete data.
3) Improper input validation (CVE-ID: CVE-2025-21460)
The vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation in Automotive Software platform based on QNX. A local application can execute arbitrary code.
4) Out-of-bounds write (CVE-ID: CVE-2024-49835)
The vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation in SPS Applications. A local application can execute arbitrary code.
5) Detection of error condition without action (CVE-ID: CVE-2024-49841)
The vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation in Hypervisor. A local application can execute arbitrary code.
6) Improper Access Control (CVE-ID: CVE-2024-49842)
The vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation in Hypervisor. A local application can execute arbitrary code.
7) Improper input validation (CVE-ID: CVE-2024-49844)
The vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation in Automotive. A local application can execute arbitrary code.
8) Buffer over-read (CVE-ID: CVE-2024-49846)
The vulnerability allows a remote attacker to read and manipulate data.
The vulnerability exists due to improper input validation in Multi-Mode Call Processor. A remote attacker can read and manipulate data.
9) Out-of-bounds write (CVE-ID: CVE-2024-45581)
The vulnerability allows a local application to read, manipulate or delete data.
The vulnerability exists due to improper input validation in Audio. A local application can read, manipulate or delete data.
10) Buffer over-read (CVE-ID: CVE-2024-49847)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation in Multi-Mode Call Processor. A remote attacker can perform a denial of service (DoS) attack.
11) Improper Access Control (CVE-ID: CVE-2025-21469)
The vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation in Camera Driver. A local application can execute arbitrary code.
12) Improper Access Control (CVE-ID: CVE-2025-21470)
The vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation in Camera Driver. A local application can execute arbitrary code.
13) Buffer over-read (CVE-ID: CVE-2025-21475)
The vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation in Display. A local application can execute arbitrary code.
14) Use After Free (CVE-ID: CVE-2025-21453)
The vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation in GPS HLOS Driver. A local application can execute arbitrary code.
15) Buffer over-read (CVE-ID: CVE-2025-21459)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation in WLAN Host Communication. A remote attacker can perform a denial of service (DoS) attack.
16) Buffer overflow (CVE-ID: CVE-2024-49830)
The vulnerability allows a local application to read, manipulate or delete data.
The vulnerability exists due to improper input validation in Audio. A local application can read, manipulate or delete data.
17) Improper input validation (CVE-ID: CVE-2024-45577)
The vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation in Camera Driver. A local application can execute arbitrary code.
18) Out-of-bounds write (CVE-ID: CVE-2025-21462)
The vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation in Computer Vision. A local application can execute arbitrary code.
19) Use After Free (CVE-ID: CVE-2024-45567)
The vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation in Camera Driver. A local application can execute arbitrary code.
20) Out-of-bounds write (CVE-ID: CVE-2025-21467)
The vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation in Computer Vision. A local application can execute arbitrary code.
21) Out-of-bounds write (CVE-ID: CVE-2025-21468)
The vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation in Computer Vision. A local application can execute arbitrary code.
22) Use After Free (CVE-ID: CVE-2024-45554)
The vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation in DSP Service. A local application can execute arbitrary code.
23) Use After Free (CVE-ID: CVE-2024-45562)
The vulnerability allows a local application to read, manipulate or delete data.
The vulnerability exists due to improper input validation in HLOS. A local application can read, manipulate or delete data.
24) Out-of-bounds write (CVE-ID: CVE-2024-45563)
The vulnerability allows a local application to read, manipulate or delete data.
The vulnerability exists due to improper input validation in Camera Driver. A local application can read, manipulate or delete data.
25) Time-of-check Time-of-use (TOCTOU) Race Condition (CVE-ID: CVE-2024-45565)
The vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation in Camera Driver. A local application can execute arbitrary code.
26) Use After Free (CVE-ID: CVE-2024-45566)
The vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation in Camera Driver. A local application can execute arbitrary code.
27) Buffer over-read (CVE-ID: CVE-2024-45568)
The vulnerability allows a local privileged application to execute arbitrary code.
The vulnerability exists due to improper input validation in Camera Driver. A local privileged application can execute arbitrary code.
28) Improper Validation of Array Index (CVE-ID: CVE-2024-45576)
The vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation in Camera Driver. A local application can execute arbitrary code.
29) Use of Out-of-range Pointer Offset (CVE-ID: CVE-2024-45570)
The vulnerability allows a local application to read, manipulate or delete data.
The vulnerability exists due to improper input validation in Camera Driver. A local application can read, manipulate or delete data.
30) Improper Validation of Array Index (CVE-ID: CVE-2024-45574)
The vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation in Camera Driver. A local application can execute arbitrary code.
31) Improper Validation of Array Index (CVE-ID: CVE-2024-45578)
The vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation in Camera Driver. A local application can execute arbitrary code.
32) Improper input validation (CVE-ID: CVE-2024-45579)
The vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation in Camera Driver. A local application can execute arbitrary code.
33) Buffer overflow (CVE-ID: CVE-2024-49829)
The vulnerability allows a local privileged application to execute arbitrary code.
The vulnerability exists due to improper input validation in Camera. A local privileged application can execute arbitrary code.
34) Use After Free (CVE-ID: CVE-2024-45564)
The vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation in HLOS. A local application can execute arbitrary code.
35) Integer overflow (CVE-ID: CVE-2024-45575)
The vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation in Camera Driver. A local application can execute arbitrary code.
Remediation
Install update from vendor's website.