Memory Corruption Vulnerability in Qualcomm DSP Software
CVE-2024-49848

6.7MEDIUM

Key Information:

Vendor
Qualcomm
Status
Snapdragon
Vendor
CVE Published:
7 April 2025

Badges

📈 Score: 837📰 News Worthy

What is CVE-2024-49848?

CVE-2024-49848 is a memory corruption vulnerability within the Qualcomm Digital Signal Processor (DSP) software. Qualcomm’s DSP is crucial for processing audio, video, and signal data, being integral to numerous mobile and embedded systems. The vulnerability arises when an excessive number of Input/Output Control (IOCTL) calls are made from the High-Level Operating System (HLOS) to the DSP, potentially leading to unexpected behaviors or crashes. If exploited, this vulnerability poses a significant risk to organizations, as it could allow attackers to disrupt operations or cause data corruption in critical mobile and embedded environments.

Technical Details

CVE-2024-49848 involves memory corruption triggered by handling multiple IOCTL calls sent from HLOS to the DSP. This issue can lead to buffer overflows where memory content can be altered, resulting in arbitrary code execution or system instability. The flaw is rooted in the way memory allocations and accesses are managed during these processing requests. The vulnerability highlights concerns regarding resource management in complex signal processing operating environments and the security measures in place for communication between system components.

Potential impact of CVE-2024-49848

  1. System Instability: The vulnerability can result in crashes or unpredictable behavior of devices utilizing Qualcomm's DSP software, impacting performance and reliability for users and organizations relying on these systems.

  2. Data Integrity Issues: Memory corruption could lead to the alteration or loss of critical data processed by affected systems, which can have severe implications for data-driven applications and operations.

  3. Increased Attack Surface: The existence of this vulnerability may incentivize attackers to target systems that rely on Qualcomm DSP, potentially leading to more sophisticated attacks or vulnerabilities being exploited within the ecosystem.

Affected Version(s)

Snapdragon Snapdragon Auto AR8035

Snapdragon Snapdragon Auto FastConnect 6200

Snapdragon Snapdragon Auto FastConnect 6700

News Articles

favicon imageBleepingComputer

New Android NoviSpy spyware linked to Qualcomm zero-day bugs

The Serbian government exploited Qualcomm zero-days to unlock and infect Android devices with a new spyware named 'NoviSpy,' used to spy on activists, journalists, and protestors.

References

https://docs.qualcomm.com/product/publicresources/securit...

CVSS V3.1

Score:
6.7
Severity:
MEDIUM
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • 📰

    First article discovered by BleepingComputer

  • Vulnerability Reserved

.