Google researchers have identified critical security vulnerabilities within Qualcomm’s Adreno GPU, potentially affecting billions of Android devices globally. If exploited, these vulnerabilities could lead to unauthorized access and control over affected devices, posing a substantial risk to users’ data and privacy.
Qualcomm, a leading manufacturer of mobile processors and wireless chipsets, has confirmed the existence of these vulnerabilities in its latest security bulletin.
The company has been working closely with Android device manufacturers to develop and deploy necessary patches to mitigate the risks associated with these flaws.
Details of the Qualcomm’s Adreno GPU Vulnerabilities
Security researchers identified vulnerabilities primarily associated with Qualcomm’s proprietary software used in the Adreno GPU. These issues have been categorized as high-impact, with several receiving a critical security rating.
The vulnerabilities span multiple technology areas, including the Multi-Mode Call Processor, Hypervisor, and HLOS (High-Level Operating System).
The vulnerabilities impact many popular Android smartphones and tablets, including devices from Samsung, Google, Xiaomi, OnePlus, and many other manufacturers that utilize Qualcomm’s Adreno GPU in their chipsets.
Qualcomm has published a list of affected chipsets in its security bulletin, urging device manufacturers to integrate the provided patches into their firmware updates promptly.
The vulnerabilities stem from improper memory management within the Adreno GPU driver, which could lead to memory corruption, information leakage, and arbitrary code execution. By crafting malicious apps or exploiting compromised websites, attackers could potentially gain elevated privileges on the affected devices.
Are you from SOC and DFIR Teams? Analyse Malware Incidents & get live Access with ANY.RUN -> Get 14 Days Free Access
High Severity Key Vulnerabilities
- CVE-2024-23350: A critical vulnerability in the Multi-Mode Call Processor that could lead to a Denial of Service (DoS) attack. This issue arises when the DL NAS transport receives multiple payloads, one of which contains a Security of Radio (SOR) container with a failed integrity check.
- CVE-2024-21481: A high-severity vulnerability in the Hypervisor that results in memory corruption during shared memory notification preparation. This flaw could allow attackers to execute arbitrary code on the affected device.
- CVE-2024-23352: Another critical issue in the Multi-Mode Call Processor, where an infinite loop condition could be triggered, leading to a transient DoS.
- CVE-2024-23353: This vulnerability involves a buffer over-read in the Multi-Mode Call Processor, potentially causing a transient DoS while decoding certain network messages.
In addition to the Adreno GPU vulnerabilities, researchers have also uncovered a buffer over-read flaw in Qualcomm’s audio processing component.
This vulnerability, CVE-2024-21479, can lead to a transient denial-of-service (DOS) condition during the playback of ALAC audio content. While not as severe as the GPU flaws, this vulnerability still risks the stability and reliability of affected devices.
According to the Qualcomm report, this list high-impact security vulnerabilities. Patches are being actively shared with OEMs, who have been notified and strongly recommended to deploy those patches on released devices as soon as possible. Please contact the device manufacturer for information on the patching status of released devices.
Impact and Response
The vulnerabilities affect many Qualcomm chipsets, including popular ones like the Snapdragon 8 Gen 3 Mobile Platform and various 5G Modem-RF Systems.
Given the extensive use of Qualcomm chipsets in Android devices, the potential impact is vast, affecting billions of users worldwide.
Qualcomm has acknowledged these vulnerabilities and is actively working with Original Equipment Manufacturers (OEMs) to distribute patches. Users are strongly advised to update their devices when patches become available to mitigate potential risks.
Qualcomm has expressed gratitude to the researchers who reported these issues and is coordinating with industry partners to ensure timely updates.
The company also collaborates with the Google Android Security team to address these vulnerabilities comprehensively.
The discovery of these vulnerabilities underscores the importance of robust security measures in software development and the need for continuous vigilance in the tech industry.
Users are encouraged to stay informed about security updates and protect their devices against threats.
Download Free Cybersecurity Planning Checklist for SME Leaders (PDF) – Free Download