Security News > 2023 > October > Qualcomm patches 3 actively exploited zero-days
Qualcomm has fixed three actively exploited vulnerabilities in its Adreno GPU and Compute DSP drivers.
Vulnerabilities exploited in Qualcomm GPU and DSP drivers.
The US-based semiconductor company has been notified by Google Threat Analysis Group and Google Project Zero that CVE-2023-33106, CVE-2023-33107, CVE-2023-33063, and CVE-2022-22071 "May be under limited, targeted exploitation".
CVE-2022-22071 is an older use-after-free vulnerability found in Automotive Android OS and patched in May 2022.
Additional information about the three zero-days will be shared in the December security bulletin, but the company has released patches for them.
There are no indications that these additional vulnerabilities have been exploited in the wild.
News URL
https://www.helpnetsecurity.com/2023/10/04/qualcomm-vulnerabilities-exploited/
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-12-05 | CVE-2023-33107 | Integer Overflow or Wraparound vulnerability in Qualcomm products Memory corruption in Graphics Linux while assigning shared virtual memory region during IOCTL call. | 7.8 |
| 2023-12-05 | CVE-2023-33106 | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Qualcomm products Memory corruption while submitting a large list of sync points in an AUX command to the IOCTL_KGSL_GPU_AUX_COMMAND. | 7.8 |
| 2023-12-05 | CVE-2023-33063 | Use After Free vulnerability in Qualcomm products Memory corruption in DSP Services during a remote call from HLOS to DSP. | 7.8 |
| 2022-06-14 | CVE-2022-22071 | Use After Free vulnerability in Qualcomm products Possible use after free when process shell memory is freed using IOCTL munmap call and process initialization is in progress in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music | 7.8 |