Qualcomm has unveiled details about three high-severity security flaws that faced limited, targeted exploitation in October 2023. The vulnerabilities include memory corruption issues in DSP Services and Graphics, allowing remote execution. Google’s Threat Analysis Group (TAG) and Project Zero disclosed the flaws, stating they were exploited in the wild. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the bugs to its Known Exploited Vulnerabilities catalog, setting a patch deadline for federal agencies. Simultaneously, Google addressed 85 flaws, including a critical CVE-2023-40088 in Android, capable of remote code execution without user interaction.
The Qualcomm vulnerabilities (CVE-2023-33063, CVE-2023-33106, CVE-2023-33107) revealed limited, targeted attacks, leading to scrutiny by security experts and authorities. These flaws involve memory corruption in DSP Services and Graphics, providing avenues for remote execution. Google’s TAG and Project Zero disclosed the vulnerabilities, emphasizing their exploitation in real-world scenarios. In response, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) included the flaws in its Known Exploited Vulnerabilities list, mandating patch application by December 26, 2023, for federal agencies. Simultaneously, Google addressed 85 vulnerabilities, with a critical one (CVE-2023-40088) in Android’s System component, enabling remote code execution without user interaction. Qualcomm discloses three security flaws (CVE-2023-33063, CVE-2023-33106, CVE-2023-33107) exploited in limited, targeted attacks in October 2023.
The vulnerabilities involve memory corruption in DSP Services and Graphics, facilitating remote execution. Google’s TAG and Project Zero reported the flaws, highlighting their real-world exploitation. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) responds by adding the vulnerabilities to its Known Exploited Vulnerabilities catalog, setting a patch deadline for federal agencies. Simultaneously, Google releases Android security updates, addressing 85 vulnerabilities, including a critical one (CVE-2023-40088) capable of remote code execution without user interaction.
Reference:
