Qualcomm Reports Exploitation of Three Zero-Days in Its GPU, DSP Drivers
Qualcomm Reports Exploitation of Three Zero-Days in Its GPU, DSP Drivers

Image: Bench Accounting (unsplash)

Qualcomm has issued a warning about three zero-day vulnerabilities in its GPU and Compute DSP drivers that are currently being targeted by hackers.

The prominent American semiconductor firm received reports from Google’s Threat Analysis Group (TAG) and Project Zero about potential limited, targeted exploitations of CVE-2023-33106, CVE-2023-33107, CVE-2022-22071, and CVE-2023-33063.

The company has promptly addressed these concerns by releasing security updates for its Adreno GPU and Compute DSP drivers. Additionally, Original Equipment Manufacturers (OEMs) have been informed about the situation.

Updates for the vulnerabilities in the Adreno GPU and Compute DSP drivers are now available. Qualcomm has emphasized to OEMs the importance of deploying these security patches promptly. The CVE-2022-22071 flaw, which was disclosed in May 2022, is a high-severity, locally exploitable bug that affects notable chips such as the SD855, SD865 5G, and SD888 5G.

As for the details regarding the vulnerabilities CVE-2023-33106, CVE-2022-22071, and CVE-2023-33063 that are currently being exploited, Qualcomm plans to share more insights in its upcoming December 2023 bulletin.

In this month’s security bulletin, Qualcomm has also highlighted three other critical vulnerabilities:

  • CVE-2023-24855: This involves memory corruption in Qualcomm’s Modem component when processing security-related configurations prior to the AS Security Exchange.
  • CVE-2023-28540: A cryptographic concern in the Data Modem component caused by improper authentication during the TLS handshake.
  • CVE-2023-33028: Memory corruption in the WLAN firmware occurs when the pmk cache memory is copied without conducting size checks.

Furthermore, Qualcomm has shared details about 13 high-severity flaws and an additional three critical-severity vulnerabilities that its engineers identified.

It’s noteworthy that the CVE-2023-24855, CVE-2023-2854, and CVE-2023-33028 vulnerabilities are all remotely exploitable, which makes them particularly concerning from a security perspective. However, there’s currently no evidence suggesting these have been exploited in the wild.

For the consumers affected by these vulnerabilities, the best course of action is to apply the available updates as soon as they become accessible through the standard OEM channels. It’s important to highlight that to exploit driver vulnerabilities, local access is generally needed, which is often obtained via malware. Hence, Android users are advised to be cautious when downloading apps and ensure they’re sourced from reputable platforms.

In a related note, Arm recently announced a security advisory about an actively exploited flaw, CVE-2023-4211, which affects an extensive range of Mali GPU drivers, as discovered and reported by Google’s TAG and Project Zero.