CVE-2019-14099

Q: What is the severity of CVE-2019-14099?

CVE-2019-14099 has a CVSS score of 7.8 (HIGH). This CVE describes a buffer copy without checking size of input vulnerability in Qualcomm Snapdragon chipsets. It allows attackers to cause device misbehavior by passing incorrect offset, length, or number of buffers from user space. Affected devices include various Snapdragon platforms in automotive, mobile, IoT, and wearable products.

7.8 HIGH

Buffer Overflow

📋 TL;DR

This CVE describes a buffer copy without checking size of input vulnerability in Qualcomm Snapdragon chipsets. It allows attackers to cause device misbehavior by passing incorrect offset, length, or number of buffers from user space. Affected devices include various Snapdragon platforms in automotive, mobile, IoT, and wearable products.

💻 Affected Systems

Products:

Snapdragon Auto
Snapdragon Compute
Snapdragon Consumer IOT
Snapdragon Industrial IOT
Snapdragon Mobile
Snapdragon Voice & Music
Snapdragon Wearables

Versions: APQ8053, MDM9206, MDM9207C, MDM9607, MSM8909W, MSM8917, MSM8953, Nicobar, QCM2150, QCS405, QCS605, QM215, Saipan, SC8180X, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM632, SDX24, SDX55, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130

Operating Systems: Android, Linux-based embedded systems

Default Config Vulnerable: ⚠️ Yes

Notes: Affects multiple Qualcomm chipset platforms across various device categories.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete device compromise, data theft, or persistent backdoor installation.

🟠

Likely Case

Denial of service causing device crashes, instability, or performance degradation.

🟢

If Mitigated

Limited impact with proper input validation and memory protections in place.

🌐 Internet-Facing: MEDIUM - Requires local access or exploitation through another vulnerability chain.

🏢 Internal Only: HIGH - Local attackers or malicious apps could exploit this vulnerability.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires local access or ability to execute code on the device. No public exploit code available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Refer to Qualcomm July 2020 security bulletin for specific chipset updates

Vendor Advisory: https://www.qualcomm.com/company/product-security/bulletins/july-2020-bulletin

Restart Required: Yes

Instructions:

1. Check device manufacturer for firmware updates. 2. Apply Qualcomm-provided patches through OEM updates. 3. Reboot device after update installation.

🔧 Temporary Workarounds

Input validation hardening

all

Implement strict input validation for buffer operations in affected drivers

🧯 If You Can't Patch

Restrict physical access to vulnerable devices
Implement application whitelisting to prevent unauthorized code execution

🔍 How to Verify

Check if Vulnerable:

Check device chipset model and firmware version against affected list

Check Version:

adb shell getprop ro.build.fingerprint (for Android devices)

Verify Fix Applied:

Verify firmware version has been updated to post-July 2020 security patch level

📡 Detection & Monitoring

Log Indicators:

Kernel panic logs
Driver crash reports
Memory corruption warnings

Network Indicators:

Unusual device behavior patterns
Unexpected reboots

SIEM Query:

Device logs containing 'kernel panic' or 'segmentation fault' from affected chipset devices

📊 Metadata

CVE ID: CVE-2019-14099

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-120

Published: July 30, 2020

Last Updated: November 21, 2024

🔗 References

https://www.qualcomm.com/company/product-security/bulletins/july-2020-bulletin Broken Link
https://www.qualcomm.com/company/product-security/bulletins/july-2020-security-bulletin Patch,Vendor Advisory
https://www.qualcomm.com/company/product-security/bulletins/july-2020-bulletin Broken Link

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Apq8053 Firmware by Qualcomm

Mdm9206 Firmware by Qualcomm

Mdm9207c Firmware by Qualcomm

Mdm9607 Firmware by Qualcomm

Msm8909w Firmware by Qualcomm

Msm8917 Firmware by Qualcomm

Msm8953 Firmware by Qualcomm

Nicobar Firmware by Qualcomm

Qcm2150 Firmware by Qualcomm

Qcs405 Firmware by Qualcomm

Qcs605 Firmware by Qualcomm

Qm215 Firmware by Qualcomm

Saipan Firmware by Qualcomm

Sc8180x Firmware by Qualcomm

Sda845 Firmware by Qualcomm

Sdm429 Firmware by Qualcomm

Sdm429w Firmware by Qualcomm

Sdm439 Firmware by Qualcomm

Sdm450 Firmware by Qualcomm

Sdm632 Firmware by Qualcomm

Sdx24 Firmware by Qualcomm

Sdx55 Firmware by Qualcomm

Sm6150 Firmware by Qualcomm

Sm7150 Firmware by Qualcomm

Sm8150 Firmware by Qualcomm

Sm8250 Firmware by Qualcomm

Sxr1130 Firmware by Qualcomm

Sxr2130 Firmware by Qualcomm