Qualcomm is warning of three zero-day vulnerabilities in its GPU and Compute DSP drivers that hackers are actively exploiting in assaults.
The American semiconductor firm was advised by Google’s Menace Evaluation Group (TAG) and Venture Zero groups that CVE-2023-33106, CVE-2023-33107, CVE-2022-22071, and CVE-2023-33063 could also be underneath restricted, focused exploitation.
Qualcomm says it has launched security updates that tackle the problems in its Adreno GPU and Compute DSP drivers, and impacted OEMs have been additionally notified.
The CVE-2022-22071 flaw was disclosed in Could 2022 and is a high-severity (CVSS v3.1: 8.4) domestically exploitable use after free bug impacting widespread chips just like the SD855, SD865 5G, and SD888
5G
Qualcomm has not launched any particulars on the actively exploited CVE-2023-33106, CVE-2022-22071, and CVE-2023-33063 flaws and can present extra info in its December 2023 bulletin.
This month’s security bulletin additionally warns of three different essential vulnerabilities:
- CVE-2023-24855: Reminiscence corruption in Qualcomm’s Modem element occurring when processing security-related configurations earlier than the AS Safety Trade. (CVSS v3.1: 9.8)
- CVE-2023-28540: Cryptographic concern within the Data Modem element arising from improper authentication through the TLS handshake. (CVSS v3.1: 9.1)
- CVE-2023-33028: Reminiscence corruption within the WLAN firmware occurring whereas copying the pmk cache reminiscence with out performing measurement checks. (CVSS v3.1: 9.8)
Together with the above, Qualcomm has disclosed 13 high-severity flaws and one other three critical-severity vulnerabilities found by its engineers.
Because the CVE-2023-24855, CVE-2023-2854, and CVE-2023-33028 flaws are all remotely exploitable, they’re essential from a security standpoint, however there is no such thing as a indication they’re exploited.
Sadly, there is not quite a bit impacted shoppers can do moreover making use of the obtainable updates as quickly as these attain them by the same old OEM channels.
Flaws in drivers normally require native entry to use, usually achieved by malware infections, so Android gadget house owners are advisable to restrict the variety of apps they obtain and solely supply them from reliable repositories.
Yesterday, Arm issued a comparable security advisory warning about an actively exploited flaw (CVE-2023-4211 found and reported to them by Google’s Menace Evaluation Group (TAG) and Venture Zero, which impacts a variety of Mali GPU drivers.
