Qualcomm zero-day under targeted exploitation (CVE-2024-43047)

An actively exploited zero-day vulnerability (CVE-2024-43047) affecting dozens of Qualcomm’s chipsets has been patched by the American semiconductor giant.

cve-2024-43047="" qualcomm-multiple-chipsets-use-after-free-vulnerability="" "="" title="Qualcomm Multiple Chipsets Use-After-Free Vulnerability">CVE-2024-43047" title="Qualcomm">

About CVE-2024-43047

On Monday, Qualcomm has confirmed patches for 20 vulnerabilities affecting both proprietary and open source software running on its various chipsets.

Among those is CVE-2024-43047, a use-after-free vulnerability in the Digital Signal Processor (DSP) service that could lead to “memory corruption while maintaining memory maps of [high level operating system (HLOS)] memory.”

The vulnerability’s CVSS string shows that the vulnerability can be triggered by a local attacker with low privileges, with no user interaction required.

Seth Jenkins of Google Project Zero and Conghui Wang of Amnesty International Security Lab have been credited with reporting the vulnerability.

Jenkins confirmed that he found the issue in collaboration with Amnesty and Threat Analysis Group (TAG). Since both organizations are known for investigating mobile spyware targeting journalists, activists and dissidents, it seems likely that the vulnerability is being exploited by one or more commercial spyware makers.

“There are indications from Google Threat Analysis Group that CVE-2024-43047 may be under limited, targeted exploitation,” Qualcomm noted, and urged original equipment manufacturers to “deploy (…) patches on released devices as soon as possible.”

Jenkins also expressed hope that CVE-2024-43047 will be patched on Android devices very soon. (The vulnerability hasn’t been mentioned in the Android Security Bulletin for October 2024.)

A year ago, Qualcomm has similarly warned about attackers exploiting three zero-day vulnerabilities in its Adreno GPU and Compute DSP drivers.