CVE-2020-3632

Q: What is the severity of CVE-2020-3632?

CVE-2020-3632 has a CVSS score of 7.8 (HIGH). This vulnerability in Qualcomm Snapdragon chipsets allows improper validation of ring context data fetched from host memory, potentially leading to memory overflow. It affects various Snapdragon Compute and Mobile platforms including QSM8350, SC7180, and multiple SDX/SM/SXR series chips. Attackers could exploit this to execute arbitrary code or cause denial of service on affected devices.

7.8 HIGH

📋 TL;DR

This vulnerability in Qualcomm Snapdragon chipsets allows improper validation of ring context data fetched from host memory, potentially leading to memory overflow. It affects various Snapdragon Compute and Mobile platforms including QSM8350, SC7180, and multiple SDX/SM/SXR series chips. Attackers could exploit this to execute arbitrary code or cause denial of service on affected devices.

💻 Affected Systems

Products:

Snapdragon Compute
Snapdragon Mobile

Versions: Chipsets: QSM8350, SC7180, SDX55, SDX55M, SM6150, SM6250, SM6250P, SM7125, SM7150, SM7150P, SM7250, SM7250P, SM8150, SM8150P, SM8250, SM8350, SM8350P, SXR2130, SXR2130P

Operating Systems: Android, Linux-based systems using affected chipsets

Default Config Vulnerable: ⚠️ Yes

Notes: Affects devices using the listed Qualcomm Snapdragon chipsets. The vulnerability is in the hardware/firmware layer.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete device compromise, data theft, or persistent backdoor installation.

🟠

Likely Case

Local privilege escalation allowing attackers to gain elevated privileges on the device.

🟢

If Mitigated

Denial of service or system instability if memory corruption occurs but exploitation fails.

🌐 Internet-Facing: MEDIUM - Requires local access or malware execution, but could be combined with other vulnerabilities for remote exploitation.

🏢 Internal Only: HIGH - Local attackers or malicious apps could exploit this for privilege escalation on affected devices.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires local access or ability to execute code on the device. No public exploit code is known.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Refer to device manufacturer updates - November 2020 security patches

Vendor Advisory: https://www.qualcomm.com/company/product-security/bulletins/november-2020-bulletin

Restart Required: Yes

Instructions:

1. Check with device manufacturer for security updates. 2. Apply the latest firmware/security patch from your device vendor. 3. Reboot device after update installation.

🔧 Temporary Workarounds

No direct workaround available

all

This is a hardware/firmware vulnerability requiring vendor patches

🧯 If You Can't Patch

Restrict physical access to devices and implement application whitelisting
Monitor for unusual system behavior and implement endpoint detection

🔍 How to Verify

Check if Vulnerable:

Check device chipset model and compare with affected list. On Android: Settings > About phone > Hardware info

Check Version:

Android: adb shell getprop ro.boot.hardware.sku or check device specifications

Verify Fix Applied:

Verify security patch level is November 2020 or later. On Android: Settings > About phone > Android security patch level

📡 Detection & Monitoring

Log Indicators:

Kernel panic logs
Memory corruption errors in system logs
Unexpected privilege escalation attempts

Network Indicators:

Unusual outbound connections from system processes
Suspicious inter-process communication

SIEM Query:

Device logs showing privilege escalation or memory corruption events on Qualcomm chipset devices

📊 Metadata

CVE ID: CVE-2020-3632

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-129

Published: November 12, 2020

Last Updated: November 21, 2024

🔗 References

https://www.qualcomm.com/company/product-security/bulletins/november-2020-bulletin Vendor Advisory
https://www.qualcomm.com/company/product-security/bulletins/november-2020-bulletin Vendor Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Qsm8350 Firmware by Qualcomm

Sc7180 Firmware by Qualcomm

Sdx55 Firmware by Qualcomm

Sdx55m Firmware by Qualcomm

Sm6150 Firmware by Qualcomm

Sm6250 Firmware by Qualcomm

Sm6250p Firmware by Qualcomm

Sm7125 Firmware by Qualcomm

Sm7150 Firmware by Qualcomm

Sm7150p Firmware by Qualcomm

Sm7250 Firmware by Qualcomm

Sm7250p Firmware by Qualcomm

Sm8150 Firmware by Qualcomm

Sm8150p Firmware by Qualcomm

Sm8250 Firmware by Qualcomm

Sm8350 Firmware by Qualcomm

Sm8350p Firmware by Qualcomm

Sxr2130 Firmware by Qualcomm

Sxr2130p Firmware by Qualcomm