CVE-2022-25748: Critical Vulnerability in Qualcomm Chips Affects Billions of Devices

Qualcomm released this month’s security bulletin for its products to reveal a total of 12 new security vulnerabilities affecting multiple chipsets, 2 of which have been rated critical in severity.

Two critical vulnerabilities have been discovered in Qualcomm chipsets that could allow hackers to compromise Android devices remotely just by sending malicious packets. The vulnerabilities reside in the WLAN of Qualcomm chipsets that powers billions of Android smartphones and tablets.

CVE-2022-25748

Tracked as CVE-2022-25748 (CVSS score 9.8), the flaw concerns an “Integer Overflow to Buffer Overflow while parsing GTK frames” issue in Qualcomm’s WLAN component that could be exploited to trigger memory corruption that leads to arbitrary code execution.

All of the smart devices using the Qualcomm Snapdragon APQ, CSRA, IPQ, MDM, MSM, QCA, WSA, WCN, WCD, SW, SM, SDX, SD, SA, QRB, QCS, QCN, and more series are affected by the vulnerabilities.

Tracked as CVE-2022-25718 (CVSS score 9.1), the flaw is a “Cryptographic” issue due to improper check on return value while authentication handshake in Qualcomm’s WLAN component. The bug affects the Qualcomm chipsets as below:

7 high-security vulnerabilities (CVE-2022-25660, CVE-2022-25661, CVE-2022-25687, CVE-2022-25719, CVE-2022-25736, CVE-2022-25749, and CVE-2022-33210) affect KERNEL, Video, Network Service, WLAN Firmware and Multimedia component.

The 3 medium flaws in question are:

  • CVE-2022-25662: Information disclosure due to an untrusted pointer dereference in the kernel
  • CVE-2022-25663: Possible buffer overflow due to lack of buffer length check during management frame Rx handling lead to denial of service
  • CVE-2022-25665: Information disclosure due to buffer over read in kernel

CVE-2022-25718, CVE-2022-25748, CVE-2022-25660, CVE-2022-25661, CVE-2022-25687 CVE-2022-25736 CVE-2022-25749 were fixed in the Android Security Patch for October 2022. Users are strongly recommended to download the most recent Android security updates as soon as they are available in order to keep their Android devices protected against any potential attack.