Qualcomm issues response to possible spyware exploit within devices

Qualcomm is urging device makers that use a selection of its chips to implement the fixes the company has rolled out for vulnerabilities within chip firmware that reports state has been exploited in the wild.

2

The Register reports the vulnerability that affects the following Qualcomm chips: Snapdragon 660 and newer models, Qualcomm's 5G modems, FastConnect 6700, 6800, 6900, and 7800 Wi-Fi/Bluetooth kits, were subject to a vulnerability called "CVE-2024-43047," which was rated 7.8 out of 10 on the CVSS rating scale. The vulnerability was reported by Google's Project Zero team and Amnesty International's code testers, and reports indicate that the involvement of the latter group of code testers indicates third parties exploited the bug.

Other notable security flaws out of the 20 patches Qualcomm rolled out is CVE-2024-33066, an input validation issue with the WLAN resource manager. This flaw received a 9.8 CVSS ranking, but luckily hasn't yet, or at least publicly, exploited. Other flaws within the firmware involve memory corruption in the camera driver, and a similar memory flaw related to the device's operating system.

"There are indications from Google Threat Analysis Group that CVE-2024-43047 may be under limited, targeted exploitation," Qualcomm said in its advisory for the updates. "Patches for the issue affecting the FASTRPC driver have been made available to OEMs together with a strong recommendation to deploy the update on affected devices as soon as possible."

• Read more: Google responds to claims Pixel smartphones send private user data to Google every 15 minutes