CVE-2019-14104 – This vulnerability allows out-of-bounds memory ... (How to Fix)

Q: What is the severity of CVE-2019-14104?

CVE-2019-14104 has a CVSS score of 7.1 (HIGH). This vulnerability allows out-of-bounds memory access in Qualcomm Snapdragon chipsets due to missing null pointer checks. Attackers could potentially execute arbitrary code or cause denial of service. Affected devices include smartphones, IoT devices, and computing platforms using specific Snapdragon processors.

📋 TL;DR

This vulnerability allows out-of-bounds memory access in Qualcomm Snapdragon chipsets due to missing null pointer checks. Attackers could potentially execute arbitrary code or cause denial of service. Affected devices include smartphones, IoT devices, and computing platforms using specific Snapdragon processors.

💻 Affected Systems

Products:

Snapdragon Compute
Snapdragon Consumer IOT
Snapdragon Mobile

Versions: APQ8053, SC8180X, SDX55, SM8150 platforms

Operating Systems: Android, Linux-based systems using affected chipsets

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability is in chipset firmware/drivers, affecting all devices using these specific Snapdragon platforms.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete device compromise, data theft, or persistent backdoor installation.

🟠

Likely Case

Application crashes, denial of service, or limited information disclosure from memory corruption.

🟢

If Mitigated

Controlled crashes with minimal impact if proper memory protections and sandboxing are enforced.

🌐 Internet-Facing: MEDIUM - Requires specific conditions and potentially local access, but could be chained with other vulnerabilities.

🏢 Internal Only: MEDIUM - Could be exploited through malicious apps or local network attacks.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires specific conditions and likely local access or malicious application installation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Refer to device manufacturer updates for specific firmware versions

Vendor Advisory: https://www.qualcomm.com/company/product-security/bulletins/april-2020-bulletin

Restart Required: Yes

Instructions:

1. Check with device manufacturer for firmware updates. 2. Apply the latest firmware/security patch from device vendor. 3. Reboot device after update.

🔧 Temporary Workarounds

Application Sandboxing

all

Restrict application permissions and capabilities to limit potential damage from exploitation

Memory Protection Enforcement

linux

Enable ASLR and other memory protection mechanisms if available

🧯 If You Can't Patch

Isolate affected devices from critical networks and internet access
Implement strict application whitelisting and prevent installation of untrusted apps

🔍 How to Verify

Check if Vulnerable:

Check device chipset model and firmware version against Qualcomm advisory

Check Version:

On Android: Settings > About Phone > Build Number / Kernel Version

Verify Fix Applied:

Verify firmware version has been updated to post-April 2020 security patch level

📡 Detection & Monitoring

Log Indicators:

Kernel panic logs
Application crashes with memory access violations
Unexpected process terminations

Network Indicators:

Unusual outbound connections from system processes
Anomalous device behavior

SIEM Query:

Search for kernel panic events or application crashes on affected device models

📊 Metadata

CVE ID: CVE-2019-14104

CVSS v3 Score: 7.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

CWE: CWE-125

Published: April 16, 2020

Last Updated: November 21, 2024

🔗 References

https://www.qualcomm.com/company/product-security/bulletins/april-2020-bulletin Patch,Vendor Advisory
https://www.qualcomm.com/company/product-security/bulletins/april-2020-bulletin Patch,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-14104, you might also want to check these: