Qualcomm has rolled out security updates to address nearly two dozen flaws spanning proprietary and open-source components, including one that has come under active exploitation in the wild.
The high-severity vulnerability, tracked as CVE-2024-43047 (CVSS score: 7.8), has been described as a user-after-free bug in the Digital Signal Processor (DSP) Service that could lead to “memory corruption while maintaining memory maps of HLOS memory.”
Qualcomm credited Google Project Zero researcher Seth Jenkins-Google Project Zero and Conghui Wang for reporting the flaw, and Amnesty International Security Lab for confirming in-the-wild activity.
“There are indications from Google Threat Analysis Group that CVE-2024-43047 may be under limited, targeted exploitation,” the chipmaker said in an advisory.
“Patches for the issue affecting FASTRPC driver have been made available to OEMs together with a strong recommendation to deploy the update on affected devices as soon as possible.”
The full scope of the attacks and their impact is presently unknown, although it’s possible that it may have been weaponized as part of spyware attacks targeting civil society members.
October’s patch also addresses a critical flaw in the WLAN Resource Manager (CVE-2024-33066, CVSS score: 9.8) that’s caused by an improper input validation and could result in memory corruption.
The development comes as Google released its own monthly Android security bulletin with fixes for 28 vulnerabilities, which also comprise issues identified in components from Imagination Technologies, MediaTek, and Qualcomm.