CVE-2019-14037

Q: What is the severity of CVE-2019-14037?

CVE-2019-14037 has a CVSS score of 7.8 (HIGH). CVE-2019-14037 is a use-after-free vulnerability in Qualcomm Snapdragon socket handling that allows attackers to potentially execute arbitrary code or cause denial of service. This affects numerous Qualcomm Snapdragon platforms across automotive, mobile, IoT, and wearable devices. Attackers could exploit this by manipulating socket close and bind operations.

7.8 HIGH

📋 TL;DR

CVE-2019-14037 is a use-after-free vulnerability in Qualcomm Snapdragon socket handling that allows attackers to potentially execute arbitrary code or cause denial of service. This affects numerous Qualcomm Snapdragon platforms across automotive, mobile, IoT, and wearable devices. Attackers could exploit this by manipulating socket close and bind operations.

💻 Affected Systems

Products:

Snapdragon Auto
Snapdragon Compute
Snapdragon Connectivity
Snapdragon Consumer Electronics Connectivity
Snapdragon Consumer IOT
Snapdragon Industrial IOT
Snapdragon IoT
Snapdragon Mobile
Snapdragon Voice & Music
Snapdragon Wearables

Versions: APQ8009, APQ8053, APQ8096AU, APQ8098, MDM9206, MDM9207C, MDM9607, MDM9640, MDM9650, MSM8905, MSM8909W, MSM8996, MSM8996AU, QCN7605, QCN7606, QCS605, SC8180X, SDA660, SDA845, SDM439, SDM630, SDM636, SDM660, SDM670, SDM710, SDM845, SDX20, SDX24, SDX55, SM8150, SXR1130

Operating Systems: Android, Linux-based embedded systems

Default Config Vulnerable: ⚠️ Yes

Notes: Affects kernel-level socket operations. All devices using affected Snapdragon chipsets are vulnerable unless patched.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete device compromise, data theft, or persistent backdoor installation.

🟠

Likely Case

Local privilege escalation from a lower-privileged process to kernel-level access, potentially leading to denial of service.

🟢

If Mitigated

Limited impact with proper kernel hardening, SELinux policies, and process isolation in place.

🌐 Internet-Facing: MEDIUM - Exploitation typically requires local access, but could be combined with other vulnerabilities for remote exploitation.

🏢 Internal Only: HIGH - Local attackers or malicious apps could exploit this for privilege escalation on affected devices.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires local access and knowledge of kernel memory layout. No public exploits known as of July 2020 advisory.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Refer to Qualcomm July 2020 security bulletin for specific chipset patches

Vendor Advisory: https://www.qualcomm.com/company/product-security/bulletins/july-2020-bulletin

Restart Required: Yes

Instructions:

1. Check device manufacturer for firmware updates. 2. Apply Qualcomm-provided kernel patches. 3. Update Android security patch level to July 2020 or later. 4. Reboot device after update.

🔧 Temporary Workarounds

Kernel hardening

linux

Enable kernel address space layout randomization (KASLR) and other memory protection features

echo 1 > /proc/sys/kernel/kptr_restrict
echo 2 > /proc/sys/kernel/perf_event_paranoid

Process isolation

all

Restrict socket operations through SELinux policies or app sandboxing

🧯 If You Can't Patch

Implement strict application whitelisting to prevent untrusted code execution
Deploy network segmentation to isolate vulnerable devices from critical systems

🔍 How to Verify

Check if Vulnerable:

Check kernel version and security patch date: 'getprop ro.build.version.security_patch' on Android or 'uname -a' on Linux

Check Version:

Android: getprop ro.build.version.security_patch; Linux: uname -r

Verify Fix Applied:

Verify security patch level is July 2020 or later and kernel version matches patched release

📡 Detection & Monitoring

Log Indicators:

Kernel panic logs
Unexpected process crashes
SELinux denials for socket operations

Network Indicators:

Unusual local socket activity
Suspicious inter-process communication

SIEM Query:

source="kernel" AND ("use-after-free" OR "general protection fault" OR "kernel panic")

📊 Metadata

CVE ID: CVE-2019-14037

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-416

Published: July 30, 2020

Last Updated: November 21, 2024

🔗 References

https://www.qualcomm.com/company/product-security/bulletins/july-2020-bulletin Broken Link
https://www.qualcomm.com/company/product-security/bulletins/july-2020-security-bulletin Patch,Vendor Advisory
https://www.qualcomm.com/company/product-security/bulletins/july-2020-bulletin Broken Link

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Apq8009 Firmware by Qualcomm

Apq8053 Firmware by Qualcomm

Apq8096au Firmware by Qualcomm

Apq8098 Firmware by Qualcomm

Mdm9206 Firmware by Qualcomm

Mdm9207c Firmware by Qualcomm

Mdm9607 Firmware by Qualcomm

Mdm9640 Firmware by Qualcomm

Mdm9650 Firmware by Qualcomm

Msm8905 Firmware by Qualcomm

Msm8909w Firmware by Qualcomm

Msm8996 Firmware by Qualcomm

Msm8996au Firmware by Qualcomm

Qcn7605 Firmware by Qualcomm

Qcn7606 Firmware by Qualcomm

Qcs605 Firmware by Qualcomm

Sc8180x Firmware by Qualcomm

Sda660 Firmware by Qualcomm

Sda845 Firmware by Qualcomm

Sdm439 Firmware by Qualcomm

Sdm630 Firmware by Qualcomm

Sdm636 Firmware by Qualcomm

Sdm660 Firmware by Qualcomm

Sdm670 Firmware by Qualcomm

Sdm710 Firmware by Qualcomm

Sdm845 Firmware by Qualcomm

Sdx20 Firmware by Qualcomm

Sdx24 Firmware by Qualcomm

Sdx55 Firmware by Qualcomm

Sm8150 Firmware by Qualcomm

Sxr1130 Firmware by Qualcomm