Qualcomm patches 3 actively exploited zero-days

Qualcomm has fixed three actively exploited vulnerabilities (CVE-2023-33106, CVE-2023-33107, CVE-2023-33063) in its Adreno GPU and Compute DSP drivers.

Vulnerabilities exploited in Qualcomm GPU and DSP drivers

The US-based semiconductor company has been notified by Google Threat Analysis Group and Google Project Zero that CVE-2023-33106, CVE-2023-33107, CVE-2023-33063, and CVE-2022-22071 “may be under limited, targeted exploitation”.

CVE-2022-22071 is an older use-after-free vulnerability found in Automotive Android OS and patched in May 2022.

Additional information about the three zero-days will be shared in the December security bulletin, but the company has released patches for them. “OEMs have been notified with a strong recommendation to deploy security updates as soon as possible,” the company said.

In similar/related news, Arm has patched a zero-day vulnerability (CVE-2023-4211) in the kernel drivers for several Mali GPUs being exploited in targeted attacks, also spotted by Google TAG and Project Zero researchers.

Additional issues

In this month’s security bulletin, Qualcomm has disclosed additional seventeen vulnerabilities, of which three have been rated as critical:

• CVE-2023-24855 – A memory corruption in Modem while processing security related configuration before AS Security Exchange.
• CVE-2023-28540 – A cryptographic issue in Data Modem due to improper authentication during TLS handshake.
• CVE-2023-33028 – A memory corruption in WLAN Firmware while doing a memory copy of pmk cache.

There are no indications that these additional vulnerabilities have been exploited in the wild.