Qualcomm warns of three zero-day vulnerabilities in its GPU and Compute DSP drivers that hackers are actively exploiting in their attacks.
Google’s Threat Analysis Group (TAG) and Project Zero teams told the American semiconductor company that CVE-2023-33106, CVE-2023-33107, CVE-2022-22071and CVE-2023-33063 may be under limited and directed exploitation.
Qualcomm says it has released security updates that fix issues in its Adreno GPU and Compute DSP drivers, and affected OEMs have also been notified.
CVE-2022-22071 was revealed in May 2022 and is a high-severity (CVSS v3.1:8.4) locally exploitable use after free bug affecting popular chips such as SD855, SD865 5G, and SD888.
Qualcomm has not released any details about the actively exploited CVE-2023-33106, CVE-2022-22071, and CVE-2023-33063 flaws and will provide more information in its December 2023 bulletin.
This month’s security bulletin also warns of three other critical vulnerabilities:
- CVE-2023-24855: Memory corruption in the Qualcomm modem component occurs while processing security-related configurations before AS Security Exchange. (CVSS v3.1:9.8)
- CVE-2023-28540: Cryptographic issue in the data modem component arising from incorrect authentication during the TLS handshake. (CVSS v3.1:9.1)
- CVE-2023-33028: Memory corruption occurs in WLAN firmware when copying pmk cache without performing size checks. (CVSS v3.1:9.8)
Along with the above, Qualcomm has revealed 13 high-severity flaws and three other critical-severity vulnerabilities discovered by its engineers.
Since flaws CVE-2023-24855, CVE-2023-2854, and CVE-2023-33028 are all remotely exploitable, they are critical from a security perspective, but there is no indication that they will be exploited.
Unfortunately, there’s not much affected consumers can do other than apply available updates as soon as they reach them through the usual OEM channels.
Driver flaws typically require local access to exploit, usually achieved through malware infections, so Android device owners are advised to limit the number of apps they download and only obtain them from trusted repositories.
Yesterday, Arm issued a similar security warning about an actively exploited flaw (CVE-2023-4211 discovered and reported by Google’s Threat Analysis Group (TAG) and Project Zero), affecting a wide range of GPU drivers. Mali.