CVE-2019-14040

Q: What is the severity of CVE-2019-14040?

CVE-2019-14040 has a CVSS score of 7.8 (HIGH). CVE-2019-14040 is a use-after-free vulnerability in Qualcomm's qsee (Qualcomm Secure Execution Environment) that allows attackers to execute arbitrary code with kernel privileges. This affects numerous Snapdragon-based devices across automotive, mobile, IoT, and wearable platforms. Successful exploitation could lead to complete device compromise.

7.8 HIGH

📋 TL;DR

CVE-2019-14040 is a use-after-free vulnerability in Qualcomm's qsee (Qualcomm Secure Execution Environment) that allows attackers to execute arbitrary code with kernel privileges. This affects numerous Snapdragon-based devices across automotive, mobile, IoT, and wearable platforms. Successful exploitation could lead to complete device compromise.

💻 Affected Systems

Products:

Snapdragon Auto
Snapdragon Compute
Snapdragon Consumer IOT
Snapdragon Industrial IOT
Snapdragon IoT
Snapdragon Mobile
Snapdragon Voice & Music
Snapdragon Wearables

Versions: All versions with affected chipsets prior to February 2020 patches

Operating Systems: Android, Linux-based embedded systems

Default Config Vulnerable: ⚠️ Yes

Notes: Affects specific Qualcomm chipset models: APQ8009, APQ8017, APQ8053, APQ8096AU, APQ8098, MDM9150, MDM9206, MDM9207C, MDM9607, MDM9640, MDM9650, MSM8905, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996AU, MSM8998, QCS605, QM215, SDA660, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM845, SDX20, SDX24, SM8150, SXR1130

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full device compromise with kernel-level code execution, allowing attackers to install persistent malware, steal sensitive data, or brick devices.

🟠

Likely Case

Privilege escalation from user to kernel space, enabling installation of malicious apps, data theft, or device control.

🟢

If Mitigated

Limited impact if devices are patched and have secure boot enabled, though some risk remains from physical access attacks.

🌐 Internet-Facing: MEDIUM - Exploitation typically requires local access, but could be combined with other vulnerabilities for remote attacks.

🏢 Internal Only: HIGH - Local attackers or malicious apps can exploit this for privilege escalation on affected devices.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires local access and knowledge of qsee internals. No public exploits available, but the vulnerability is well-documented in security bulletins.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: February 2020 security patches and later

Vendor Advisory: https://www.qualcomm.com/company/product-security/bulletins/february-2020-bulletin

Restart Required: Yes

Instructions:

1. Check device manufacturer for available security updates. 2. Apply February 2020 or later security patches. 3. Reboot device. 4. Verify patch installation through device settings.

🔧 Temporary Workarounds

Disable unnecessary qsee services

android

Reduce attack surface by disabling non-essential qsee services if supported by device configuration

adb shell pm disable com.qualcomm.qti.secureprocessor
adb shell pm disable com.qualcomm.qti.qseecomservice

🧯 If You Can't Patch

Isolate affected devices on separate network segments
Implement strict application whitelisting to prevent malicious app installation

🔍 How to Verify

Check if Vulnerable:

Check device chipset model and security patch level. Devices with affected chipsets and pre-February 2020 patches are vulnerable.

Check Version:

adb shell getprop ro.boot.hardware.sku

Verify Fix Applied:

Verify security patch level is February 2020 or later in device settings > About phone > Android security patch level

📡 Detection & Monitoring

Log Indicators:

Kernel panic logs
qsee service crashes
Unexpected privilege escalation attempts

Network Indicators:

Unusual outbound connections from system processes
Suspicious inter-process communication patterns

SIEM Query:

source="android_logs" AND ("qsee" OR "secure_processor") AND ("crash" OR "panic" OR "segfault")

📊 Metadata

CVE ID: CVE-2019-14040

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-416

Published: February 7, 2020

Last Updated: November 21, 2024

🔗 References

https://www.qualcomm.com/company/product-security/bulletins/february-2020-bulletin Patch,Vendor Advisory
https://www.qualcomm.com/company/product-security/bulletins/february-2020-bulletin Patch,Vendor Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Apq8009 Firmware by Qualcomm

Apq8017 Firmware by Qualcomm

Apq8053 Firmware by Qualcomm

Apq8096au Firmware by Qualcomm

Apq8098 Firmware by Qualcomm

Mdm9150 Firmware by Qualcomm

Mdm9206 Firmware by Qualcomm

Mdm9207c Firmware by Qualcomm

Mdm9607 Firmware by Qualcomm

Mdm9640 Firmware by Qualcomm

Mdm9650 Firmware by Qualcomm

Msm8905 Firmware by Qualcomm

Msm8909w Firmware by Qualcomm

Msm8917 Firmware by Qualcomm

Msm8920 Firmware by Qualcomm

Msm8937 Firmware by Qualcomm

Msm8940 Firmware by Qualcomm

Msm8953 Firmware by Qualcomm

Msm8996au Firmware by Qualcomm

Msm8998 Firmware by Qualcomm

Qcs605 Firmware by Qualcomm

Qm215 Firmware by Qualcomm

Sda660 Firmware by Qualcomm

Sda845 Firmware by Qualcomm

Sdm429 Firmware by Qualcomm

Sdm429w Firmware by Qualcomm

Sdm439 Firmware by Qualcomm

Sdm450 Firmware by Qualcomm

Sdm630 Firmware by Qualcomm

Sdm632 Firmware by Qualcomm

Sdm636 Firmware by Qualcomm

Sdm660 Firmware by Qualcomm

Sdm845 Firmware by Qualcomm

Sdx20 Firmware by Qualcomm

Sdx24 Firmware by Qualcomm

Sm8150 Firmware by Qualcomm

Sxr1130 Firmware by Qualcomm