Headline
Qualcomm Releases Patch for 3 new Zero-Days Under Active Exploitation
Chipmaker Qualcomm has released security updates to address 17 vulnerabilities in various components, while warning that three other zero-days have come under active exploitation. Of the 17 flaws, three are rated Critical, 13 are rated High, and one is rated Medium in severity. "There are indications from Google Threat Analysis Group and Google Project Zero that CVE-2023-33106, CVE-2023-33107,
Chipmaker Qualcomm has released security updates to address 17 vulnerabilities in various components, while warning that three other zero-days have come under active exploitation.
Of the 17 flaws, three are rated Critical, 13 are rated High, and one is rated Medium in severity.
“There are indications from Google Threat Analysis Group and Google Project Zero that CVE-2023-33106, CVE-2023-33107, CVE-2022-22071, and CVE-2023-33063 may be under limited, targeted exploitation,” the semiconductor company said in an advisory.
“Patches for the issues affecting Adreno GPU and Compute DSP drivers have been made available, and OEMs have been notified with a strong recommendation to deploy security updates as soon as possible.”
CVE-2022-22071 (CVSS score: 8.4), described as a use-after-free in Automotive OS Platform, was originally patched by the company as part of its May 2022 updates.
While additional specifics about the remaining other flaws are expected to be made public in December 2023, the disclosure comes the same day Arm shipped patches for a security flaw in the Mali GPU Kernel Driver (CVE-2023-4211) that has also come under limited, targeted exploitation.
Qualcomm’s October 2023 updates also address three critical issues, although there is no evidence that they have been abused in the wild -
- CVE-2023-24855 (CVSS score: 9.8) - Memory corruption in Modem while processing security related configuration before AS Security Exchange.
- CVE-2023-28540 (CVSS score: 9.1) - Cryptographic issue in Data Modem due to improper authentication during TLS handshake.
- CVE-2023-33028 (CVSS score: 9.8) - Memory corruption in WLAN Firmware while doing a memory copy of pmk cache.
Users are advised to apply updates from original equipment manufacturers (OEMs) as soon as they become available.
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
Related news
A coalition of dozens of countries, including France, the U.K., and the U.S., along with tech companies such as Google, MDSec, Meta, and Microsoft, have signed a joint agreement to curb the abuse of commercial spyware to commit human rights abuses. The initiative, dubbed the Pall Mall Process, aims to tackle the proliferation and irresponsible use of commercial cyber intrusion tools by
Permission management vulnerability in the module for disabling Sound Booster. Successful exploitation of this vulnerability may cause features to perform abnormally.
Chipmaker Qualcomm has released more information about three high-severity security flaws that it said came under "limited, targeted exploitation" back in October 2023. The vulnerabilities are as follows - CVE-2023-33063 (CVSS score: 7.8) - Memory corruption in DSP Services during a remote call from HLOS to DSP. CVE-2023-33106 (CVSS score: 8.4) - Memory corruption in
In parse_gap_data of utils.cc, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with User execution privileges needed. User interaction is not needed for exploitation.
Security best practices violations, a string operation in Streamingmedia will write past the end of fixed-size destination buffer if the source buffer is too large.
Plus: Major vulnerability fixes are now available for a number of enterprise giants, including Cisco, VMWare, Citrix, and SAP.
Categories: Android Categories: News Tags: Google Tags: Android Tags: Qualcomm Tags: webp Tags: ARM Mali Tags: cve-2023-4863 Tags: cve-2023-4211 Tags: cve-2023-33106 Tags: cve-2023-33107 Tags: cve-2023-22071 Tags: cve-2023-33063 Tags: 2023-10-006 Tags: patch level Google has patched 53 vulnerabilities in its Android October security updates, two of which are known to be actively exploited. (Read more...) The post Update your Android devices now! Google patches two actively exploited vulnerabilities appeared first on Malwarebytes Labs.
Arm has released security patches to contain a security flaw in the Mali GPU Kernel Driver that has come under active exploitation in the wild. Tracked as CVE-2023-4211, the shortcoming impacts the following driver versions - Midgard GPU Kernel Driver: All versions from r12p0 - r32p0 Bifrost GPU Kernel Driver: All versions from r0p0 - r42p0 Valhall GPU Kernel Driver: All versions from r19p0 -