Qualcomm Releases Details About Chip Vulnerabilities Exploited in Targeted Attacks

December 06, 2023NewsroomVulnerability / Mobile Security

Qualcomm

Chipmaker Qualcomm has released more information about three serious security flaws it says are subject to “limited, targeted exploitation” in October 2023.

the weaknesses are as follows-

  • CVE-2023-33063 (CVSS score: 7.8) – Memory corruption in DSP Services during a remote call from HLOS to DSP.
  • CVE-2023-33106 (CVSS score: 8.4) – Memory corruption in Graphics while submitting a large list of sync points in an AUX command to IOCTL_KGSL_GPU_AUX_COMMAND.
  • CVE-2023-33107 (CVSS score: 8.4) – Memory corruption in Graphics Linux while assigning a shared virtual memory region during an IOCTL call.

Google’s Threat Analysis Group and Google Project Zero revealed in October 2023 that the three flaws, along with CVE-2022-22071 (CVSS score: 8.4), exploited in the wild in limited, targeted attacks.

Cybersecurity

A security researcher named luckyrb, the Google Android Security team, and TAG researcher Benoît Sevens and Jann Horn of Google Project Zero are credited with reporting the security vulnerabilities, respectively.

It is currently unknown how these deficiencies became a weapon, and who is behind the attacks.

The development, however, prompted the US Cybersecurity and Infrastructure Security Agency (CISA) to add four bugs in Known Exploited Vulnerabilities (KEV SEARCHED) catalog, urging federal agencies to apply the patches by December 26, 2023.

It also follows Google advertisement that the December 2023 security updates for Android address 85 flaws, including a critical issue in the System component tracked as CVE-2023-40088 that “could lead to remote (proximal/adjacent) code execution that no additional execution privileges are required” and there is no user interaction whatsoever.

Did you find this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Leave a comment