Qualcomm has rolled out safety updates to handle practically two dozen flaws spanning proprietary and open-source parts, together with one which has come beneath energetic exploitation within the wild.
The high-severity vulnerability, tracked as CVE-2024-43047 (CVSS rating: 7.8), has been described as a user-after-free bug within the Digital Sign Processor (DSP) Service that might result in “memory corruption while maintaining memory maps of HLOS memory.”
Qualcomm credited Google Mission Zero researcher Seth Jenkins-Google Mission Zero and Conghui Wang for reporting the flaw, and Amnesty Worldwide Safety Lab for confirming in-the-wild exercise.
“There are indications from Google Threat Analysis Group that CVE-2024-43047 may be under limited, targeted exploitation,” the chipmaker mentioned in an advisory.
“Patches for the issue affecting FASTRPC driver have been made available to OEMs together with a strong recommendation to deploy the update on affected devices as soon as possible.”
The complete scope of the assaults and their impression is presently unknown, though it is potential that it could have been weaponized as a part of spyware and adware assaults concentrating on civil society members.
October’s patch additionally addresses a important flaw within the WLAN Useful resource Supervisor (CVE-2024-33066, CVSS rating: 9.8) that is attributable to an improper enter validation and will end in reminiscence corruption.
The event comes as Google launched its personal month-to-month Android safety bulletin with fixes for 28 vulnerabilities, which additionally comprise points recognized in parts from Creativeness Applied sciences, MediaTek, and Qualcomm.
