These developments coincide with Google’s release of its monthly Android security bulletin
Qualcomm has released important security updates to address nearly two dozen vulnerabilities, affecting both proprietary and open-source components, with one of these vulnerabilities being actively exploited in the wild.
The most concerning flaw, tracked as CVE-2024-43047 and given a CVSS score of 7.8, is a high-severity vulnerability in the Digital Signal Processor (DSP) Service. Described as a “use-after-free” bug, this issue could result in memory corruption while managing memory maps of the High-Level Operating System (HLOS) memory.
The vulnerability was reported by Seth Jenkins of Google Project Zero and Conghui Wang, and confirmed by Amnesty International Security Lab, which observed signs of in-the-wild exploitation.
In an advisory, Qualcomm warned that CVE-2024-43047 may already be under “limited, targeted exploitation,” according to the Google Threat Analysis Group. Patches for the vulnerability in the FASTRPC driver have been made available to Original Equipment Manufacturers (OEMs), with Qualcomm urging them to deploy the updates as soon as possible. While the full extent of the attacks remains unclear, the bug is suspected to have been used in spyware attacks targeting members of civil society.
In addition to this vulnerability, Qualcomm’s October security patch addresses another critical flaw in the WLAN Resource Manager (CVE-2024-33066), which carries a CVSS score of 9.8. This issue, caused by improper input validation, could also lead to memory corruption, posing a serious threat to affected devices.
These developments coincide with Google’s release of its monthly Android security bulletin, which includes fixes for 28 vulnerabilities, several of which involve components from Qualcomm, MediaTek, and Imagination Technologies.
As cybersecurity concerns continue to grow, it remains vital for device manufacturers and users to prioritize timely updates to mitigate potential threats.
