CVE-2019-14038

Q: What is the severity of CVE-2019-14038?

CVE-2019-14038 has a CVSS score of 7.1 (HIGH). This CVE describes a buffer over-read vulnerability in the ADSP parse function of Qualcomm Snapdragon chipsets. It allows attackers to read beyond allocated memory boundaries when processing malformed command responses, potentially exposing sensitive data. The vulnerability affects numerous Qualcomm Snapdragon platforms across automotive, compute, IoT, mobile, and wearable devices.

7.1 HIGH

Buffer Overflow

📋 TL;DR

This CVE describes a buffer over-read vulnerability in the ADSP parse function of Qualcomm Snapdragon chipsets. It allows attackers to read beyond allocated memory boundaries when processing malformed command responses, potentially exposing sensitive data. The vulnerability affects numerous Qualcomm Snapdragon platforms across automotive, compute, IoT, mobile, and wearable devices.

💻 Affected Systems

Products:

Snapdragon Auto
Snapdragon Compute
Snapdragon Consumer IOT
Snapdragon Industrial IOT
Snapdragon IoT
Snapdragon Mobile
Snapdragon Voice & Music
Snapdragon Wearables

Versions: APQ8009, APQ8053, APQ8098, MDM9206, MDM9207C, MDM9607, MDM9640, MDM9650, MSM8905, MSM8909W, MSM8917, MSM8953, QCS605, SDA660, SDA845, SDM429, SDM429W, SDM439, SDM670, SDM710, SDM845, SDX20, SDX24

Operating Systems: Android, Linux-based embedded systems

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the ADSP (Audio Digital Signal Processor) subsystem across multiple Qualcomm chipset families. The vulnerability is in firmware/hardware abstraction layer.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Information disclosure of sensitive data from adjacent memory, potentially including cryptographic keys, authentication tokens, or other protected information that could lead to complete system compromise.

🟠

Likely Case

Information disclosure of adjacent memory contents, potentially exposing system information or application data that could facilitate further attacks.

🟢

If Mitigated

No impact if proper memory protection mechanisms are in place and the vulnerability is patched.

🌐 Internet-Facing: MEDIUM - Requires specific malformed command responses to be processed, but could be exploited through network interfaces if vulnerable services are exposed.

🏢 Internal Only: MEDIUM - Could be exploited by malicious applications or compromised processes running on the device.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires sending malformed command responses to the ADSP subsystem. This typically requires local access or ability to interact with ADSP services.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Refer to Qualcomm security bulletin for specific chipset firmware updates

Vendor Advisory: https://www.qualcomm.com/company/product-security/bulletins/may-2020-bulletin

Restart Required: Yes

Instructions:

1. Check device manufacturer for firmware updates. 2. Apply Qualcomm-provided firmware patches for affected chipsets. 3. Reboot device to load updated firmware. 4. Verify patch installation through device firmware version checks.

🔧 Temporary Workarounds

Restrict ADSP service access

linux

Limit which applications and services can interact with ADSP subsystem

Requires device-specific configuration through SELinux policies or application sandboxing

🧯 If You Can't Patch

Implement strict application sandboxing to limit access to ADSP services
Monitor for unusual memory access patterns or crashes in ADSP-related processes

🔍 How to Verify

Check if Vulnerable:

Check device chipset model and firmware version against Qualcomm's affected products list

Check Version:

adb shell getprop ro.bootloader (for Android devices) or check device-specific firmware version commands

Verify Fix Applied:

Verify firmware version has been updated to a version after the May 2020 security patches

📡 Detection & Monitoring

Log Indicators:

ADSP subsystem crashes
Unexpected memory access violations in kernel logs
Audio/DSP service failures

Network Indicators:

Unusual inter-process communication patterns to ADSP services

SIEM Query:

Process:ADSP AND (EventID:1000 OR ExceptionCode:0xC0000005)

📊 Metadata

CVE ID: CVE-2019-14038

CVSS v3 Score: 7.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

CWE: CWE-20

Published: June 2, 2020

Last Updated: November 21, 2024

🔗 References

https://www.qualcomm.com/company/product-security/bulletins/may-2020-bulletin Patch,Vendor Advisory
https://www.qualcomm.com/company/product-security/bulletins/may-2020-bulletin Patch,Vendor Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Apq8009 Firmware by Qualcomm

Apq8053 Firmware by Qualcomm

Apq8098 Firmware by Qualcomm

Mdm9206 Firmware by Qualcomm

Mdm9207c Firmware by Qualcomm

Mdm9607 Firmware by Qualcomm

Mdm9640 Firmware by Qualcomm

Mdm9650 Firmware by Qualcomm

Msm8905 Firmware by Qualcomm

Msm8909w Firmware by Qualcomm

Msm8917 Firmware by Qualcomm

Msm8953 Firmware by Qualcomm

Qcs605 Firmware by Qualcomm

Sda660 Firmware by Qualcomm

Sda845 Firmware by Qualcomm

Sdm429 Firmware by Qualcomm

Sdm429w Firmware by Qualcomm

Sdm439 Firmware by Qualcomm

Sdm670 Firmware by Qualcomm

Sdm710 Firmware by Qualcomm

Sdm845 Firmware by Qualcomm

Sdx20 Firmware by Qualcomm

Sdx24 Firmware by Qualcomm