CVE-2019-14087 – This is a use-after-free vulnerability in Qualc... (How to Fix)

Q: What is the severity of CVE-2019-14087?

CVE-2019-14087 has a CVSS score of 7.8 (HIGH). This is a use-after-free vulnerability in Qualcomm's graphics buffer management for HDR blit operations when unsupported color modes are encountered. It affects Snapdragon chipsets in consumer IoT, mobile, and wearable devices, potentially allowing local attackers to execute arbitrary code or cause denial of service.

📋 TL;DR

This is a use-after-free vulnerability in Qualcomm's graphics buffer management for HDR blit operations when unsupported color modes are encountered. It affects Snapdragon chipsets in consumer IoT, mobile, and wearable devices, potentially allowing local attackers to execute arbitrary code or cause denial of service.

💻 Affected Systems

Products:

Snapdragon Consumer IOT
Snapdragon Mobile
Snapdragon Wearables

Versions: Chipsets including MSM8909W, QCS605 and potentially others

Operating Systems: Android-based systems using affected Qualcomm chipsets

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability is in Qualcomm's graphics driver/firmware; affects devices regardless of Android version if using vulnerable chipset.

📦 What is this software?

Msm8909w Firmware by Qualcomm

View all CVEs affecting Msm8909w Firmware →

Qcs605 Firmware by Qualcomm

View all CVEs affecting Qcs605 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Local privilege escalation leading to full device compromise, arbitrary code execution with kernel privileges, or permanent device bricking.

🟠

Likely Case

Local denial of service (device crash/reboot) or limited privilege escalation within the graphics subsystem context.

🟢

If Mitigated

Contained crash of graphics services without system compromise if proper sandboxing and privilege separation are implemented.

🌐 Internet-Facing: LOW - Requires local access to device; not directly exploitable over network.

🏢 Internal Only: MEDIUM - Could be exploited by malicious apps or users with physical/local access to affected devices.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires local access and ability to trigger specific graphics operations with unsupported color modes; no public exploits known.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Qualcomm security bulletin May 2020 contains fixes

Vendor Advisory: https://www.qualcomm.com/company/product-security/bulletins/may-2020-bulletin

Restart Required: Yes

Instructions:

1. Check device manufacturer for security updates. 2. Apply Qualcomm-provided firmware/driver updates. 3. Update Android security patches. 4. Reboot device after update.

🔧 Temporary Workarounds

Disable HDR features

android

Disable HDR display modes if supported by device settings

Restrict graphics permissions

android

Use Android permissions system to restrict apps from accessing graphics APIs

🧯 If You Can't Patch

Isolate affected devices from untrusted networks and users
Implement strict app vetting and installation controls

🔍 How to Verify

Check if Vulnerable:

Check device chipset model and firmware version against Qualcomm's advisory; use 'getprop ro.boot.hardware' or similar commands to identify chipset.

Check Version:

adb shell getprop ro.boot.hardware && adg shell getprop ro.build.version.security_patch

Verify Fix Applied:

Verify Android security patch level is May 2020 or later and check with device manufacturer for specific firmware updates.

📡 Detection & Monitoring

Log Indicators:

Kernel panic logs
Graphics driver crash reports
ANR (Application Not Responding) for graphics services

SIEM Query:

Search for: 'kernel panic' OR 'segfault' in graphics driver logs OR 'qualcomm' AND 'adreno' crash reports

📊 Metadata

CVE ID: CVE-2019-14087

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-416

Published: June 2, 2020

Last Updated: November 21, 2024

🔗 References

https://www.qualcomm.com/company/product-security/bulletins/may-2020-bulletin Patch,Vendor Advisory
https://www.qualcomm.com/company/product-security/bulletins/may-2020-bulletin Patch,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-14087, you might also want to check these: