Qualcomm Patches Actively Exploited Zero-Day Vulnerability

Qualcomm has released security updates to address nearly two dozen vulnerabilities, affecting both proprietary and open-source components. Among them, one stands out as being actively exploited in real-world attacks.

This critical vulnerability, identified as CVE-2024-43047 with a CVSS score of 7.8, stems from a Use-After-Free error in the Digital Signal Processor (DSP) service. It has the potential to cause memory corruption when saving HLOS memory cards.

The issue was reported by Google Project Zero researchers Seth Jenkins and Kongwei Wang, with Amnesty International’s Security Lab confirming its active exploitation.

In its advisory, Qualcomm noted that, according to Google’s Threat Analysis Group, this vulnerability could be used for targeted attacks. The chipmaker also strongly urged OEMs to release patches for devices affected by this issue, particularly for the FASTRPC driver.

It is not yet known how widespread these attacks have been, but there is a possibility that the vulnerability may have been used for espionage against civil society figures.

Additionally, the October update addresses a critical vulnerability in the WLAN Resource Manager (CVE-2024-33066), which has been given a CVSS score of 9.8. The issue arises from improper input validation and can also result in memory corruption.

Qualcomm’s updates were released alongside Google’s monthly Android security bulletin, which patched 28 vulnerabilities, including issues in components from Imagination Technologies, MediaTek, and Qualcomm.