Qualcomm Confirms Exploitation of High-Severity Bug

Chipmaker Qualcomm has disclosed a high-severity vulnerability in the Digital Signal Processor (DSP) service. According to Google Threat Analysis Group (TAG) and the Amnesty International Security Lab, the flaw (CVE-2024-43047) is being exploited in the wild.

Key Details: 

• The vulnerability is a use-after-free issue in the DSP service, which could allow for memory corruption “while maintaining memory maps of HLOS memory.” The access vector is listed as local, and the flaw has a (high-severity) 7.8 out of 10 CVSS score

• A broad range of Qualcomm chipsets are impacted by the flaw, ranging from FastConnect to the well-known Snapdragon lineup. The full list of impacted chipsets can be found in Qualcomm’s advisory

• The flaw was first reported July 29, and customers were notified Sept. 2, before public disclosure on Monday. Multiple teams were credited with reporting the flaw and exploitation activity, including Seth Jenkins with Google Project Zero and Conghui Wang, Amnesty International Security Lab

The Big Picture: While further details about the flaw are available on the dsp-kernel commit page, Qualcomm has not disclosed further details about the exploitation activity. Google TAG has said that the flaw is under “limited, targeted exploitation.” Both Google TAG and Amnesty International are known for their research on zero-day vulnerabilities used in targeted spyware attacks against activists, journalists and more.

Vendor Response: Qualcomm in its Monday advisory told users to contact their device manufacturers for more information about the status of patches for specific devices. The company in its advisory said: “Patches for the issue affecting FASTRPC driver have been made available to OEMs together with a strong recommendation to deploy the update on affected devices as soon as possible.”