CVE-2019-10534

Q: What is the severity of CVE-2019-10534?

CVE-2019-10534 has a CVSS score of 9.8 (CRITICAL). This CVE describes a null-pointer dereference vulnerability in Qualcomm Snapdragon chipsets that can lead to denial of service or potential code execution. The vulnerability affects multiple Qualcomm Snapdragon platforms across automotive, mobile, IoT, and wearable devices. Attackers could exploit this to crash devices or potentially execute arbitrary code.

9.8 CRITICAL

Denial of Service

📋 TL;DR

This CVE describes a null-pointer dereference vulnerability in Qualcomm Snapdragon chipsets that can lead to denial of service or potential code execution. The vulnerability affects multiple Qualcomm Snapdragon platforms across automotive, mobile, IoT, and wearable devices. Attackers could exploit this to crash devices or potentially execute arbitrary code.

💻 Affected Systems

Products:

Snapdragon Auto
Snapdragon Compute
Snapdragon Consumer IOT
Snapdragon Industrial IOT
Snapdragon Mobile
Snapdragon Voice & Music
Snapdragon Wearables

Versions: Multiple chipset versions including MDM9206, MDM9607, MSM8909W, MSM8996AU, QCA6574AU, QCS405, QCS605, Qualcomm 215, SD 210/SD 212/SD 205, SD 425, SD 427, SD 430, SD 435, SD 439 / SD 429, SD 450, SD 600, SD 625, SD 632, SD 636, SD 665, SD 675, SD 712 / SD 710 / SD 670, SD 730, SD 820, SD 820A, SD 835, SD 845 / SD 850, SD 855, SDA660, SDM439, SDM630, SDM660, SDX20

Operating Systems: Android-based systems using affected chipsets

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability is in chipset firmware/hardware, affecting all devices using these chipsets regardless of OS configuration.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete device compromise, data theft, or persistent backdoor installation.

🟠

Likely Case

Device crash/reboot causing denial of service, potentially leading to system instability.

🟢

If Mitigated

Limited impact with proper memory protection mechanisms and exploit mitigations in place.

🌐 Internet-Facing: HIGH - Affects mobile and IoT devices often directly internet-connected.

🏢 Internal Only: MEDIUM - Affects internal mobile devices and embedded systems.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Null-pointer dereference vulnerabilities typically require specific conditions to trigger and may be challenging to weaponize for RCE.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Android security patches from October 2019 onward

Vendor Advisory: https://source.android.com/security/bulletin/

Restart Required: Yes

Instructions:

1. Check for Android security updates from device manufacturer. 2. Apply October 2019 or later security patch. 3. Reboot device after update. 4. Verify patch level in device settings.

🔧 Temporary Workarounds

No effective workarounds

all

This is a chipset-level vulnerability requiring firmware/software patches from Qualcomm/OEMs.

🧯 If You Can't Patch

Isolate affected devices from untrusted networks
Implement network segmentation and monitoring for affected devices

🔍 How to Verify

Check if Vulnerable:

Check Android security patch level in Settings > About phone > Android security patch level. If before October 2019, device is vulnerable.

Check Version:

adb shell getprop ro.build.version.security_patch

Verify Fix Applied:

Verify Android security patch level is October 2019 or later in device settings.

📡 Detection & Monitoring

Log Indicators:

Kernel panic logs
Null pointer dereference errors in system logs
Unexpected device reboots

Network Indicators:

Unusual traffic patterns from affected devices
Device becoming unresponsive to network requests

SIEM Query:

source="android_devices" AND (event_type="kernel_panic" OR message="*null*pointer*" OR message="*dereference*")

📊 Metadata

CVE ID: CVE-2019-10534

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-476

Published: November 6, 2019

Last Updated: November 21, 2024

🔗 References

https://source.android.com/security/bulletin/ Vendor Advisory
https://source.android.com/security/bulletin/ Vendor Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Mdm9206 Firmware by Qualcomm

Mdm9607 Firmware by Qualcomm

Msm8909w Firmware by Qualcomm

Msm8996au Firmware by Qualcomm

Qca6574au Firmware by Qualcomm

Qcs405 Firmware by Qualcomm

Qcs605 Firmware by Qualcomm

Qualcomm 215 Firmware by Qualcomm

Sd 205 Firmware by Qualcomm

Sd 210 Firmware by Qualcomm

Sd 212 Firmware by Qualcomm

Sd 425 Firmware by Qualcomm

Sd 427 Firmware by Qualcomm

Sd 429 Firmware by Qualcomm

Sd 430 Firmware by Qualcomm

Sd 435 Firmware by Qualcomm

Sd 439 Firmware by Qualcomm

Sd 450 Firmware by Qualcomm

Sd 600 Firmware by Qualcomm

Sd 625 Firmware by Qualcomm

Sd 632 Firmware by Qualcomm

Sd 636 Firmware by Qualcomm

Sd 665 Firmware by Qualcomm

Sd 670 Firmware by Qualcomm

Sd 675 Firmware by Qualcomm

Sd 710 Firmware by Qualcomm

Sd 712 Firmware by Qualcomm

Sd 730 Firmware by Qualcomm

Sd 820 Firmware by Qualcomm

Sd 820a Firmware by Qualcomm

Sd 835 Firmware by Qualcomm

Sd 845 Firmware by Qualcomm

Sd 850 Firmware by Qualcomm

Sd 855 Firmware by Qualcomm

Sda660 Firmware by Qualcomm

Sdm439 Firmware by Qualcomm

Sdm630 Firmware by Qualcomm

Sdm660 Firmware by Qualcomm

Sdx20 Firmware by Qualcomm