Qualcomm has launched safety patches for a zero-day vulnerability within the Digital Sign Processor (DSP) service that impacts dozens of chipsets.
The safety flaw (CVE-2024-43047) was reported by Google Venture Zero’s Seth Jenkins and Amnesty Worldwide Safety Lab’s Conghui Wang, and it’s attributable to a use-after-free weak spot that may result in reminiscence corruption when efficiently exploited by native attackers with low privileges.
“Currently, the DSP updates header buffers with unused DMA handle fds. In the put_args section, if any DMA handle FDs are present in the header buffer, the corresponding map is freed,” as defined in a DSP kernel commit.
“However, since the header buffer is exposed to users in unsigned PD, users can update invalid FDs. If this invalid FD matches with any FD that is already in use, it could lead to a use-after-free (UAF) vulnerability.”
As the corporate cautioned in a Monday safety advisory, safety researchers with Google’s Menace Evaluation Group and Amnesty Worldwide Safety Lab tagged the vulnerability as exploited within the wild. Each teams are recognized for locating zero-day bugs exploited in spy ware assaults focusing on the cell gadgets of high-risk people, together with journalists, opposition politicians, and dissidents.
“There are indications from Google Threat Analysis Group that CVE-2024-43047 may be under limited, targeted exploitation,” Qualcomm warned right now. “Patches for the issue affecting FASTRPC driver have been made available to OEMs together with a strong recommendation to deploy the update on affected devices as soon as possible. “
Qualcomm additionally urged customers to contact their gadget producer for extra particulars relating to their particular gadgets’ patch standing.
​Immediately, the corporate additionally mounted an nearly most severity flaw (CVE-2024-33066) within the WLAN Useful resource Supervisor reported greater than a 12 months in the past and attributable to an improper enter validation weak spot that would result in reminiscence corruption.
In October final 12 months, Qualcomm additionally warned that attackers have been exploiting three zero-day vulnerabilities in its GPU and Compute DSP drivers within the wild.
In response to studies from Google’s Menace Evaluation Group (TAG) and Venture Zero groups, it was used for restricted, focused exploitation. Google and Qualcomm are but to disclose further data on these assaults.
Lately, Qualcomm has additionally patched chipset vulnerabilities that would enable attackers to entry customers’ media recordsdata, textual content messages, name historical past, and real-time conversations.
Qualcomm additionally mounted flaws in its Snapdragon Digital Sign Processor (DSP) chip, permitting hackers to manage smartphones with out person interplay, spy on their customers, and create unremovable malware able to evading detection.
KrØØk, one other vulnerability patched in 2020, enabled attackers to decrypt some WPA2-encrypted wi-fi community packets, whereas yet one more now-fixed bug allowed entry to vital knowledge.