Qualcomm has released security patches for a zero-day vulnerability in the Digital Signal Processor (DSP) service. The flaw impacts dozens of chipsets and was reported by researchers from Google’s Project Zero, security researcher Conghui Wang, and Amnesty International’s Security Lab. The vulnerability is caused by a use-after-free weakness that can lead to memory corruption when exploited by local attackers with low privileges.
It involves the DSP updates header buffers with unused DMA handle file descriptors (FDs). If any invalid FDs are present and match an FD already in use, it could result in a use-after-free vulnerability. Google’s Threat Analysis Group and Amnesty International Security Lab have tagged the vulnerability as exploited in the wild.
Qualcomm addresses serious DSP flaw
These groups are known for discovering zero-day bugs used in spyware attacks targeting mobile devices of high-risk individuals such as journalists, opposition politicians, and dissidents. Qualcomm has warned that “CVE-2024-43047 may be under limited, targeted exploitation” and has made patches available to OEMs.
The company strongly recommends deploying the update on affected devices as soon as possible. Users are urged to contact their device manufacturers for more details on their specific devices’ patch status. Qualcomm also fixed another high-severity flaw (CVE-2024-33066) in the WLAN Resource Manager, which was caused by an improper input validation weakness leading to memory corruption.
In the past, Qualcomm has patched chipset vulnerabilities that allowed attackers to control smartphones without user interaction, spy on users, and create unremovable malware capable of evading detection. The company’s latest security effort aligns with its ongoing commitment to improving the safety and security of its devices globally.