CVE-2020-11146
7.8 HIGH
📋 TL;DR
This vulnerability allows attackers to write data beyond allocated memory bounds in Qualcomm Snapdragon chipsets via IOCTL calls, potentially leading to arbitrary code execution. It affects multiple Snapdragon product lines including Auto, Compute, Mobile, and Wearables. Attackers need local access to exploit this flaw.
💻 Affected Systems
Products:
- Snapdragon Auto
- Snapdragon Compute
- Snapdragon Connectivity
- Snapdragon Consumer IOT
- Snapdragon Industrial IOT
- Snapdragon Mobile
- Snapdragon Voice & Music
- Snapdragon Wearables
Versions: Multiple chipset versions across these product lines
Operating Systems: Android-based systems and other embedded OS using affected Snapdragon chipsets
Default Config Vulnerable:
⚠️ Yes
Notes: Specific chipset models and firmware versions vary; check Qualcomm advisory for exact affected components.
📦 What is this software?
Apq8076 by Qualcomm
Aqt1000 by Qualcomm
Ar8031 by Qualcomm
Ar8035 by Qualcomm
Csra6620 by Qualcomm
Csra6640 by Qualcomm
Msm8937 by Qualcomm
Pm215 by Qualcomm
Pm3003a by Qualcomm
Pm4125 by Qualcomm
Pm456 by Qualcomm
Pm6125 by Qualcomm
Pm6150 by Qualcomm
Pm6150a by Qualcomm
Pm6150l by Qualcomm
Pm6250 by Qualcomm
Pm6350 by Qualcomm
Pm640a by Qualcomm
Pm640l by Qualcomm
Pm640p by Qualcomm
Pm660 by Qualcomm
Pm660l by Qualcomm
Pm670 by Qualcomm
Pm670l by Qualcomm
Pm7150a by Qualcomm
Pm7150l by Qualcomm
Pm7250 by Qualcomm
Pm7250b by Qualcomm
Pm7350c by Qualcomm
Pm8004 by Qualcomm
Pm8005 by Qualcomm
Pm8008 by Qualcomm
Pm8009 by Qualcomm
Pm8150 by Qualcomm
Pm8150a by Qualcomm
Pm8150b by Qualcomm
Pm8150c by Qualcomm
Pm8150l by Qualcomm
Pm8250 by Qualcomm
Pm8350 by Qualcomm
Pm8350b by Qualcomm
Pm8350bh by Qualcomm
Pm8350bhs by Qualcomm
Pm8350c by Qualcomm
Pm855 by Qualcomm
Pm855b by Qualcomm
Pm855l by Qualcomm
Pm855p by Qualcomm
Pm8909 by Qualcomm
Pm8916 by Qualcomm
Pm8937 by Qualcomm
Pm8952 by Qualcomm
Pm8956 by Qualcomm
Pm8998 by Qualcomm
Pmc1000h by Qualcomm
Pmd9655 by Qualcomm
Pmi632 by Qualcomm
Pmi8937 by Qualcomm
Pmi8952 by Qualcomm
Pmi8998 by Qualcomm
Pmk7350 by Qualcomm
Pmk8002 by Qualcomm
Pmk8003 by Qualcomm
Pmk8350 by Qualcomm
Pmm6155au by Qualcomm
Pmm8155au by Qualcomm
Pmm8195au by Qualcomm
Pmm855au by Qualcomm
Pmr525 by Qualcomm
Pmr735a by Qualcomm
Pmr735b by Qualcomm
Pmw3100 by Qualcomm
Pmx55 by Qualcomm
Qat3514 by Qualcomm
Qat3516 by Qualcomm
Qat3518 by Qualcomm
Qat3519 by Qualcomm
Qat3522 by Qualcomm
Qat3550 by Qualcomm
Qat3555 by Qualcomm
Qat5515 by Qualcomm
Qat5516 by Qualcomm
Qat5522 by Qualcomm
Qat5533 by Qualcomm
Qat5568 by Qualcomm
Qbt1500 by Qualcomm
Qbt2000 by Qualcomm
Qca4020 by Qualcomm
Qca6174a by Qualcomm
Qca6175a by Qualcomm
Qca6310 by Qualcomm
Qca6335 by Qualcomm
Qca6390 by Qualcomm
Qca6391 by Qualcomm
Qca6420 by Qualcomm
Qca6421 by Qualcomm
Qca6426 by Qualcomm
Qca6430 by Qualcomm
Qca6431 by Qualcomm
Qca6436 by Qualcomm
Qca6564 by Qualcomm
Qca6564a by Qualcomm
Qca6564au by Qualcomm
Qca6574 by Qualcomm
Qca6574a by Qualcomm
Qca6574au by Qualcomm
Qca6584au by Qualcomm
Qca6595 by Qualcomm
Qca6595au by Qualcomm
Qca6696 by Qualcomm
Qca8337 by Qualcomm
Qca9379 by Qualcomm
Qcm4290 by Qualcomm
Qcs405 by Qualcomm
Qcs4290 by Qualcomm
Qcs605 by Qualcomm
Qdm2301 by Qualcomm
Qdm2302 by Qualcomm
Qdm2305 by Qualcomm
Qdm2307 by Qualcomm
Qdm2308 by Qualcomm
Qdm2310 by Qualcomm
Qdm3301 by Qualcomm
Qdm3302 by Qualcomm
Qdm4643 by Qualcomm
Qdm4650 by Qualcomm
Qdm5579 by Qualcomm
Qdm5620 by Qualcomm
Qdm5621 by Qualcomm
Qdm5650 by Qualcomm
Qdm5652 by Qualcomm
Qdm5670 by Qualcomm
Qdm5671 by Qualcomm
Qdm5677 by Qualcomm
Qdm5679 by Qualcomm
Qet4100 by Qualcomm
Qet4101 by Qualcomm
Qet4200aq by Qualcomm
Qet5100 by Qualcomm
Qet5100m by Qualcomm
Qet6100 by Qualcomm
Qet6110 by Qualcomm
Qfs2530 by Qualcomm
Qfs2580 by Qualcomm
Qfs2608 by Qualcomm
Qfs2630 by Qualcomm
Qln1020 by Qualcomm
Qln1021aq by Qualcomm
Qln1030 by Qualcomm
Qln1031 by Qualcomm
Qln1036aq by Qualcomm
Qln4640 by Qualcomm
Qln4642 by Qualcomm
Qln4650 by Qualcomm
Qln5020 by Qualcomm
Qln5030 by Qualcomm
Qln5040 by Qualcomm
Qpa2625 by Qualcomm
Qpa4360 by Qualcomm
Qpa4361 by Qualcomm
Qpa5461 by Qualcomm
Qpa5580 by Qualcomm
Qpa5581 by Qualcomm
Qpa6560 by Qualcomm
Qpa8673 by Qualcomm
Qpa8675 by Qualcomm
Qpa8686 by Qualcomm
Qpa8801 by Qualcomm
Qpa8802 by Qualcomm
Qpa8803 by Qualcomm
Qpa8821 by Qualcomm
Qpa8842 by Qualcomm
Qpm2630 by Qualcomm
Qpm4621 by Qualcomm
Qpm4630 by Qualcomm
Qpm4640 by Qualcomm
Qpm4641 by Qualcomm
Qpm4650 by Qualcomm
Qpm5541 by Qualcomm
Qpm5577 by Qualcomm
Qpm5579 by Qualcomm
Qpm5621 by Qualcomm
Qpm5641 by Qualcomm
Qpm5658 by Qualcomm
Qpm5670 by Qualcomm
Qpm5677 by Qualcomm
Qpm5679 by Qualcomm
Qpm5870 by Qualcomm
Qpm5875 by Qualcomm
Qpm6325 by Qualcomm
Qpm6375 by Qualcomm
Qpm6582 by Qualcomm
Qpm6585 by Qualcomm
Qpm6621 by Qualcomm
Qpm6670 by Qualcomm
Qpm8820 by Qualcomm
Qpm8830 by Qualcomm
Qpm8870 by Qualcomm
Qpm8895 by Qualcomm
Qsm7250 by Qualcomm
Qsw6310 by Qualcomm
Qsw8573 by Qualcomm
Qsw8574 by Qualcomm
Qtc410s by Qualcomm
Qtc800h by Qualcomm
Qtc800s by Qualcomm
Qtc801s by Qualcomm
Qtm525 by Qualcomm
Qtm527 by Qualcomm
Qualcomm215 by Qualcomm
Sa6145p by Qualcomm
Sa6155 by Qualcomm
Sa6155p by Qualcomm
Sa8150p by Qualcomm
Sa8155 by Qualcomm
Sa8155p by Qualcomm
Sa8195p by Qualcomm
Sd205 by Qualcomm
Sd210 by Qualcomm
Sd429 by Qualcomm
Sd460 by Qualcomm
Sd662 by Qualcomm
Sd665 by Qualcomm
Sd670 by Qualcomm
Sd675 by Qualcomm
Sd6905g by Qualcomm
Sd710 by Qualcomm
Sd720g by Qualcomm
Sd730 by Qualcomm
Sd750g by Qualcomm
Sd765 by Qualcomm
Sd765g by Qualcomm
Sd768g by Qualcomm
Sd845 by Qualcomm
Sd855 by Qualcomm
Sd8655g by Qualcomm
Sd8885g by Qualcomm
Sd8c by Qualcomm
Sd8cx by Qualcomm
Sda429w by Qualcomm
Sdm429w by Qualcomm
Sdr425 by Qualcomm
Sdr660 by Qualcomm
Sdr660g by Qualcomm
Sdr675 by Qualcomm
Sdr735 by Qualcomm
Sdr735g by Qualcomm
Sdr8150 by Qualcomm
Sdr8250 by Qualcomm
Sdr865 by Qualcomm
Sdx55 by Qualcomm
Sdx55m by Qualcomm
Sdxr1 by Qualcomm
Sdxr25g by Qualcomm
Sm4125 by Qualcomm
Sm6250 by Qualcomm
Sm6250p by Qualcomm
Sm7250p by Qualcomm
Sm7350 by Qualcomm
Smb1351 by Qualcomm
Smb1354 by Qualcomm
Smb1355 by Qualcomm
Smb1380 by Qualcomm
Smb1381 by Qualcomm
Smb1390 by Qualcomm
Smb1394 by Qualcomm
Smb1395 by Qualcomm
Smb1396 by Qualcomm
Smb1398 by Qualcomm
Smb2351 by Qualcomm
Smr525 by Qualcomm
Smr526 by Qualcomm
Smr545 by Qualcomm
Smr546 by Qualcomm
Wcd9306 by Qualcomm
Wcd9326 by Qualcomm
Wcd9335 by Qualcomm
Wcd9340 by Qualcomm
Wcd9341 by Qualcomm
Wcd9370 by Qualcomm
Wcd9371 by Qualcomm
Wcd9375 by Qualcomm
Wcd9380 by Qualcomm
Wcd9385 by Qualcomm
Wcn3610 by Qualcomm
Wcn3615 by Qualcomm
Wcn3620 by Qualcomm
Wcn3660b by Qualcomm
Wcn3680 by Qualcomm
Wcn3680b by Qualcomm
Wcn3910 by Qualcomm
Wcn3950 by Qualcomm
Wcn3980 by Qualcomm
Wcn3988 by Qualcomm
Wcn3990 by Qualcomm
Wcn3991 by Qualcomm
Wcn3998 by Qualcomm
Wcn3999 by Qualcomm
Wcn6740 by Qualcomm
Wcn6750 by Qualcomm
Wcn6850 by Qualcomm
Wcn6851 by Qualcomm
Wcn6856 by Qualcomm
Wgr7640 by Qualcomm
Wsa8810 by Qualcomm
Wsa8815 by Qualcomm
Wsa8830 by Qualcomm
Wsa8835 by Qualcomm
Wtr2955 by Qualcomm
Wtr2965 by Qualcomm
Wtr3925 by Qualcomm
Wtr4905 by Qualcomm
Wtr5975 by Qualcomm
Wtr6955 by Qualcomm
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with kernel-level privileges, allowing complete control over affected device including data theft, persistence, and further network propagation.
Likely Case
Local privilege escalation from user to kernel mode, enabling installation of malware, data access, and system manipulation.
If Mitigated
Limited impact with proper access controls and isolation, potentially only denial of service or system instability.
🌐 Internet-Facing: LOW - Requires local access to device, not directly exploitable over network.
🏢 Internal Only: HIGH - Local attackers or malware with user access can exploit to gain kernel privileges.
🎯 Exploit Status
Public PoC:
✅ No
Weaponized:
UNKNOWN
Unauthenticated Exploit:
✅ No
Complexity:
MEDIUM
Requires local access and ability to make IOCTL calls; kernel exploitation knowledge needed for reliable exploitation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Varies by device manufacturer and chipset - check device vendor updates
Vendor Advisory: https://www.qualcomm.com/company/product-security/bulletins/december-2020-bulletin
Restart Required: Yes
Instructions:
1. Check with device manufacturer for firmware updates. 2. Apply latest security patches from device vendor. 3. Reboot device after update. 4. Verify patch installation.
🔧 Temporary Workarounds
Restrict IOCTL access
linuxLimit access to vulnerable IOCTL interfaces through SELinux/AppArmor policies
# Requires custom SELinux/AppArmor policy configuration
# Consult device manufacturer for specific implementation
🧯 If You Can't Patch
- Implement strict application sandboxing and privilege separation
- Monitor for unusual kernel module loading or privilege escalation attempts
🔍 How to Verify
Check if Vulnerable:
Check device firmware version against manufacturer's patched versions; use 'getprop ro.build.fingerprint' on Android devicesCheck Version:
adb shell getprop ro.build.fingerprint (for Android devices)Verify Fix Applied:
Verify firmware version matches or exceeds patched version from manufacturer advisory📡 Detection & Monitoring
Log Indicators:
- Kernel panic logs
- Unexpected IOCTL calls from user processes
- Privilege escalation attempts in audit logs
Network Indicators:
- Not applicable - local exploitation only
SIEM Query:
source="kernel" AND ("panic" OR "oops") OR source="audit" AND "ioctl" AND "denied"