Qualcomm Patches 3 Critical Flaws in January 2024 Security Bulletin

CVE-2023-33025

In a proactive maneuver, US chip giant Qualcomm has recently addressed 14 vulnerabilities within its array of products. Among these, three critical flaws have garnered particular attention due to their severity and potential impact.

1. CVE-2023-33025 (CVSS 9.8): This vulnerability, rooted in memory corruption during non-standard SDP bodies in VOLTE calls, has placed a wide range of chipsets under scrutiny, including the Snapdragon series and the WCD and WCN lines. The flaw’s CVSS score of 9.8 highlights its critical nature, signaling an urgent need for patching.

CVE-2023-33025
2. CVE-2023-33030 (CVSS 9.3): Another memory corruption issue, but this time in the HLOS during the playready use-case, affects an even broader range of Qualcomm products. The vulnerability spans across various platforms, from IoT modems to automotive and audio products.

3. CVE-2023-33032 (CVSS 9.3): The third critical flaw involves memory corruption in the TZ Secure OS while requesting memory allocation from the TA region, affecting numerous chipsets including the Snapdragon series and various modem and audio platforms.

These vulnerabilities, if exploited, could lead to serious consequences like arbitrary code execution or denial of service (DoS) attacks.

Beyond these three, Qualcomm has also addressed several vulnerabilities rated as ‘high’ severity. These primarily impact ESL, WLAN firmware, and automotive products, characterized mainly as memory bugs and information disclosure issues. In the digital realm where memory bugs can escalate quickly into severe security breaches, Qualcomm’s comprehensive approach is both commendable and crucial.

Qualcomm is not aware of any malicious use of the vulnerability that is described in this advisory.