Qualcomm Urges OEMs to Patch Critical DSP and WLAN Flaws Amid Active Exploits
Qualcomm has rolled out security updates to address nearly two dozen flaws spanning proprietary and open-source components, including one that has come under active exploitation in the wild.
The high-severity vulnerability, tracked as CVE-2024-43047 (CVSS score: 7.8), has been described as a user-after-free bug in the Digital Signal Processor (DSP) Service that could lead to "memory corruption while maintaining memory maps of HLOS memory."
Qualcomm credited Google Project Zero researcher Seth Jenkins-Google Project Zero and Conghui Wang for reporting the flaw, and Amnesty International Security Lab for confirming in-the-wild activity.
"There are indications from Google Threat Analysis Group that CVE-2024-43047 may be under limited, targeted exploitation," the chipmaker said in an advisory.
"Patches for the issue affecting FASTRPC driver have been made available to OEMs together with a strong recommendation to deploy the update on affected devices as soon as possible."
The full scope of the attacks and their impact is presently unknown, although it's possible that it may have been weaponized as part of spyware attacks targeting civil society members.
October's patch also addresses a critical flaw in the WLAN Resource Manager (CVE-2024-33066, CVSS score: 9.8) that's caused by an improper input validation and could result in memory corruption.
The development comes as Google released its own monthly Android security bulletin with fixes for 28 vulnerabilities, which also comprise issues identified in components from Imagination Technologies, MediaTek, and Qualcomm.
source: TheHackerNews
Free security scan for your website
Top News:
Hackers now use AppDomain Injection to drop CobaltStrike beacons
August 24, 2024New Ymir Ransomware Exploits Memory for Stealthy Attacks; Targets Corporate Networks
November 12, 2024Attackers are exploiting 2 zero-days in Palo Alto Networks firewalls (CVE-2024-0012, CVE-2024-9474)
November 18, 2024CWE top 25 most dangerous software weaknesses
November 21, 2024Chinese APT Gelsemium Targets Linux Systems with New WolfsBane Backdoor
November 21, 2024