Qualcomm has taken decisive action by rolling out critical security updates to address nearly two dozen vulnerabilities across its proprietary and open-source components. Among these vulnerabilities is a high-severity flaw tracked as CVE-2024-43047, characterized as a user-after-free bug in the Digital Signal Processor (DSP) Service. This vulnerability has a CVSS score of 7.8 and poses a serious risk of memory corruption while maintaining memory maps of high-level operating system (HLOS) memory. Researchers Seth Jenkins and Conghui Wang from Google Project Zero reported the issue, while Amnesty International Security Lab confirmed that it is being actively exploited in the wild.
In its advisory, Qualcomm noted indications from the Google Threat Analysis Group that CVE-2024-43047 is currently under limited, targeted exploitation. The company has provided patches for the affected FASTRPC driver and has strongly urged original equipment manufacturers (OEMs) to implement these updates as quickly as possible. The full scope and impact of the ongoing attacks remain unclear, but there are concerns that the vulnerability may have been weaponized for spyware attacks against civil society members, raising alarms about the implications for user privacy and security.
Additionally, Qualcomm’s October security patch addresses another critical vulnerability in the WLAN Resource Manager, designated as CVE-2024-33066. This flaw has a CVSS score of 9.8 and results from improper input validation, which could lead to memory corruption as well. The discovery of these vulnerabilities underscores the increasing challenges in mobile security, as attackers continually seek to exploit weaknesses in widely used components.
In conjunction with Qualcomm’s updates, Google has released its monthly Android security bulletin, which includes fixes for 28 vulnerabilities across various components, including those from other manufacturers such as Imagination Technologies and MediaTek. As the mobile threat landscape continues to evolve, timely updates and patches are essential for safeguarding users and their devices. Qualcomm’s proactive approach serves as a crucial reminder of the importance of maintaining robust security measures in the face of emerging threats.
