Chipmaker Qualcomm has launched extra details about three high-severity security flaws that it mentioned got here below “restricted, focused exploitation” again in October 2023.
The vulnerabilities are as follows –
- CVE-2023-33063 (CVSS rating: 7.8) – Reminiscence corruption in DSP Providers throughout a distant name from HLOS to DSP.
- CVE-2023-33106 (CVSS rating: 8.4) – Reminiscence corruption in Graphics whereas submitting a big record of sync factors in an AUX command to the IOCTL_KGSL_GPU_AUX_COMMAND.
- CVE-2023-33107 (CVSS rating: 8.4) – Reminiscence corruption in Graphics Linux whereas assigning shared digital reminiscence area throughout IOCTL name.
Google’s Risk Evaluation Group and Google Challenge Zero revealed again in October 2023 that the three flaws, together with CVE-2022-22071 (CVSS rating: 8.4), have been exploited within the wild as a part of restricted, focused assaults.
A security researcher named luckyrb, the Google Android Safety group, and TAG researcher Benoît Sevens and Jann Horn of Google Challenge Zero have been credited with reporting the security vulnerabilities, respectively.
It is at present not recognized how these shortcomings have been weaponized, and who’re behind the assaults.
The event, nevertheless, has prompted the U.S. Cybersecurity and Infrastructure Safety Company (CISA) so as to add the 4 bugs to its Identified Exploited Vulnerabilities (KEV) catalog, urging federal companies to use the patches by December 26, 2023.
It additionally follows Google’s announcement that the December 2023 security updates for Android tackle 85 flaws, together with a crucial concern within the System part tracked as CVE-2023-40088 that “might result in distant (proximal/adjoining) code execution with no further execution privileges wanted” and with none consumer interplay.
