Qualcomm has issued a critical security alert in its October 2024 security bulletin, addressing several vulnerabilities, including CVE-2024-43047, which is currently being exploited in the wild.
The flaw, located in the Digital Signal Processor (DSP) service of affected Qualcomm chipsets, can lead to memory corruption via a “Use After Free” vulnerability. Patches have been issued to device manufacturers (OEMs), and Qualcomm strongly urges them to deploy updates as soon as possible, while confirming active exploitation with:
“There are indications from Google Threat Analysis Group that CVE-2024-43047 may be under limited, targeted exploitation.” – Qualcomm
The vulnerability is particularly severe because it could allow attackers to gain local privilege escalation on affected devices. Researchers from Google's Project Zero, alongside Conghui Wang and Amnesty International's Security Lab, were instrumental in identifying this issue and confirming its real-world exploitation. However, technical details have been withheld for now to prevent triggering more widespread exploitation until patches have reached end users.
Other critical vulnerabilities
Alongside CVE-2024-43047, the bulletin highlights other significant security flaws, including CVE-2024-33066, a critical vulnerability in the WLAN Resource Manager. This flaw could lead to memory corruption through improper input validation, posing a risk to a wide range of devices, including chipsets from Qualcomm's Immersive Home platforms, Snapdragon modems, and Wi-Fi chipsets.
Similarly, CVE-2024-23369, a high-severity flaw in Qualcomm's High-Level Operating System (HLOS), can trigger memory corruption when handling incorrect buffer lengths. Patches have also been issued for these flaws, but their availability to consumers depends on OEMs integrating the fixes.
Supply chain complexity and delays in patch deployment
One of the most significant challenges with vulnerabilities like CVE-2024-43047 is the time lag between when a patch is created and when it becomes available to users. Although Qualcomm has provided patches to OEMs, the process of integrating these fixes into custom firmware, testing compatibility, and distributing them as system updates can take weeks or even months. The latest Android Security Bulletin, published on the same day, does not yet include Qualcomm's fixes for CVE-2024-43047.
With Android devices relying on components from a diverse range of suppliers, vulnerabilities in individual chipset designs, like those from Qualcomm, often require cooperation between multiple stakeholders. This can result in significant delays, meaning that while Qualcomm's patches are available now, users may not receive the necessary updates until November 2024 or later, depending on their device manufacturer's schedule.
To protect against malicious attacks, Android users are recommended to ensure Google Play Protect is enabled, avoid downloading apps from third-party stores, limit app permissions, and watch out for suspicious behavior or atypical background activity.
MoneyGram Confirms Data Breach Following September Cyberattack
The patteren with tech overall in growth seems its at an inferior level to inify, while under unfavorable circumstances to a web user remains concrete.
(But, all these news articles you cover must bum you out I think. Besides a birds eye view we readers don’t have in any understandings of the big picture…)
Android devices relying patches since Android 11, as 11 has introduced several features that enable Original Equipment Manufacturers (OEMs) to deploy patches faster.
Particularly, Android 11’s GKI, Virtual A/B, Project Mainline, and OEM developer previews work together to streamline and accelerate OEM patch deployment, ultimately benefiting device users with faster and more reliable security updates.
Will that fix CVE-2024-43047, CVE-2024-33066, CVE-2024-23369, any faster ??? I dont know. . .