Qualcomm has issued a warning about three zero-day vulnerabilities in its GPU and Compute DSP drivers that are currently being exploited by hackers. These vulnerabilities, CVE-2023-33106, CVE-2023-33107, CVE-2022-22071, and CVE-2023-33063, were brought to Qualcomm’s attention by Google’s Threat Analysis Group and Project Zero teams.
The company has responded by releasing security updates to address the issues in its Adreno GPU and Compute DSP drivers and has urged impacted OEMs to implement these updates promptly.
While Qualcomm has disclosed details about the CVE-2022-22071 flaw, it has not provided specifics about the actively exploited vulnerabilities, with plans to reveal more information in its December 2023 bulletin.
Qualcomm’s recent security bulletin also highlights three other critical vulnerabilities. CVE-2023-24855 involves memory corruption in Qualcomm’s Modem component during the processing of security-related configurations before the AS Security Exchange, while CVE-2023-28540 relates to a cryptographic issue in the Data Modem component stemming from improper authentication during the TLS handshake.
CVE-2023-33028 pertains to memory corruption in the WLAN firmware when copying the pmk cache memory without performing size checks. Although these vulnerabilities are remotely exploitable and pose significant security risks, there is no current evidence of exploitation.
To protect against these vulnerabilities, impacted consumers are advised to promptly apply available updates through their OEM channels. Since driver flaws usually require local access to exploit, users of Android devices should exercise caution when downloading apps, obtaining them only from reputable sources to minimize potential security risks.
Additionally, Qualcomm’s disclosure emphasizes the importance of staying vigilant and maintaining up-to-date security practices in the face of evolving cybersecurity threats.