CVE-2019-10532

Q: What is the severity of CVE-2019-10532?

CVE-2019-10532 has a CVSS score of 9.8 (CRITICAL). A null-pointer dereference vulnerability in Qualcomm Snapdragon chipsets allows attackers to cause denial of service or potentially execute arbitrary code by triggering a crash when processing zero-length strings. This affects numerous Qualcomm-based devices across automotive, IoT, mobile, and wearable platforms.

9.8 CRITICAL

Denial of Service

📋 TL;DR

A null-pointer dereference vulnerability in Qualcomm Snapdragon chipsets allows attackers to cause denial of service or potentially execute arbitrary code by triggering a crash when processing zero-length strings. This affects numerous Qualcomm-based devices across automotive, IoT, mobile, and wearable platforms.

💻 Affected Systems

Products:

Snapdragon Auto
Snapdragon Connectivity
Snapdragon Consumer IOT
Snapdragon Industrial IOT
Snapdragon IoT
Snapdragon Mobile
Snapdragon Voice & Music
Snapdragon Wearables

Versions: All versions prior to January 2020 security patches

Operating Systems: Android, Linux-based embedded systems

Default Config Vulnerable: ⚠️ Yes

Notes: Affects specific chipset models: APQ8009, APQ8017, APQ8053, APQ8064, APQ8096AU, APQ8098, MDM9206, MDM9207C, MDM9607, MSM8905, MSM8909, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8939, MSM8940, MSM8953, MSM8996, Nicobar, QCS605, QM215, SDA660, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDX20, SM6150, SM8150, SM8250, SXR1130, SXR2130

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete device compromise, data theft, or persistent backdoor installation.

🟠

Likely Case

Denial of service causing device crashes, reboots, or instability affecting functionality.

🟢

If Mitigated

Limited impact with proper network segmentation and exploit mitigations in place.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

CVSS 9.8 indicates critical severity with network-accessible attack vector. No public exploit code available at disclosure.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: January 2020 security patch level or later

Vendor Advisory: https://www.qualcomm.com/company/product-security/bulletins/january-2020-bulletin

Restart Required: Yes

Instructions:

1. Check device manufacturer for available firmware updates. 2. Apply January 2020 or later security patches. 3. Reboot device after update. 4. Verify patch installation.

🔧 Temporary Workarounds

Network segmentation

all

Isolate affected devices from untrusted networks to reduce attack surface

Input validation

all

Implement application-level validation to reject zero-length strings in vulnerable functions

🧯 If You Can't Patch

Segment affected devices in isolated network zones with strict access controls
Implement monitoring for abnormal crashes or reboots of affected devices

🔍 How to Verify

Check if Vulnerable:

Check device firmware version and security patch level. If before January 2020, device is vulnerable.

Check Version:

On Android: Settings > About phone > Android security patch level

Verify Fix Applied:

Confirm security patch level is January 2020 or later in device settings.

📡 Detection & Monitoring

Log Indicators:

Kernel panic logs
Unexpected device reboots
Null pointer exception in system logs

Network Indicators:

Unusual network traffic to device management interfaces
Protocol anomalies triggering string processing

SIEM Query:

source="device_logs" AND ("kernel panic" OR "null pointer" OR "segmentation fault")

📊 Metadata

CVE ID: CVE-2019-10532

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-125

Published: January 21, 2020

Last Updated: November 21, 2024

🔗 References

https://www.qualcomm.com/company/product-security/bulletins/january-2020-bulletin Vendor Advisory
https://www.qualcomm.com/company/product-security/bulletins/january-2020-bulletin Vendor Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Apq8009 Firmware by Qualcomm

Apq8017 Firmware by Qualcomm

Apq8053 Firmware by Qualcomm

Apq8064 Firmware by Qualcomm

Apq8096au Firmware by Qualcomm

Apq8098 Firmware by Qualcomm

Mdm9206 Firmware by Qualcomm

Mdm9207c Firmware by Qualcomm

Mdm9607 Firmware by Qualcomm

Msm8905 Firmware by Qualcomm

Msm8909 Firmware by Qualcomm

Msm8909w Firmware by Qualcomm

Msm8917 Firmware by Qualcomm

Msm8920 Firmware by Qualcomm

Msm8937 Firmware by Qualcomm

Msm8939 Firmware by Qualcomm

Msm8940 Firmware by Qualcomm

Msm8953 Firmware by Qualcomm

Msm8996 Firmware by Qualcomm

Nicobar Firmware by Qualcomm

Qcs605 Firmware by Qualcomm

Qm215 Firmware by Qualcomm

Sda660 Firmware by Qualcomm

Sda845 Firmware by Qualcomm

Sdm429 Firmware by Qualcomm

Sdm429w Firmware by Qualcomm

Sdm439 Firmware by Qualcomm

Sdm450 Firmware by Qualcomm

Sdm630 Firmware by Qualcomm

Sdm632 Firmware by Qualcomm

Sdm636 Firmware by Qualcomm

Sdm660 Firmware by Qualcomm

Sdm670 Firmware by Qualcomm

Sdm710 Firmware by Qualcomm

Sdm845 Firmware by Qualcomm

Sdx20 Firmware by Qualcomm

Sm6150 Firmware by Qualcomm

Sm8150 Firmware by Qualcomm

Sm8250 Firmware by Qualcomm

Sxr1130 Firmware by Qualcomm

Sxr2130 Firmware by Qualcomm