Qualcomm has rolled out security updates to handle almost two dozen flaws spanning proprietary and open-source elements, together with one which has come underneath energetic exploitation within the wild.
The high-severity vulnerability, tracked as CVE-2024-43047 (CVSS rating: 7.8), has been described as a user-after-free bug within the Digital Sign Processor (DSP) Service that might result in “reminiscence corruption whereas sustaining reminiscence maps of HLOS reminiscence.”
Qualcomm credited Google Challenge Zero researcher Seth Jenkins-Google Challenge Zero and Conghui Wang for reporting the flaw, and Amnesty Worldwide Safety Lab for confirming in-the-wild exercise.
“There are indications from Google Risk Evaluation Group that CVE-2024-43047 could also be underneath restricted, focused exploitation,” the chipmaker stated in an advisory.
“Patches for the difficulty affecting FASTRPC driver have been made out there to OEMs along with a robust suggestion to deploy the replace on affected units as quickly as attainable.”
The total scope of the assaults and their impression is presently unknown, though it is attainable that it could have been weaponized as a part of spyware and adware assaults concentrating on civil society members.
October’s patch additionally addresses a crucial flaw within the WLAN Useful resource Supervisor (CVE-2024-33066, CVSS rating: 9.8) that is brought on by an improper enter validation and will lead to reminiscence corruption.
The event comes as Google launched its personal month-to-month Android security bulletin with fixes for 28 vulnerabilities, which additionally comprise points recognized in elements from Creativeness Applied sciences, MediaTek, and Qualcomm.
