CVE-2021-1914

Q: What is the severity of CVE-2021-1914?

CVE-2021-1914 has a CVSS score of 7.5 (HIGH). CVE-2021-1914 is an infinite loop vulnerability in Qualcomm Snapdragon chipsets where improper handling of unsupported input can cause a denial of service condition. This affects various Snapdragon platforms including Auto, Compute, Connectivity, Consumer IoT, Industrial IoT, IoT, Voice & Music, and Wearables. Attackers could potentially crash affected devices or cause resource exhaustion.

7.5 HIGH

Denial of Service

📋 TL;DR

CVE-2021-1914 is an infinite loop vulnerability in Qualcomm Snapdragon chipsets where improper handling of unsupported input can cause a denial of service condition. This affects various Snapdragon platforms including Auto, Compute, Connectivity, Consumer IoT, Industrial IoT, IoT, Voice & Music, and Wearables. Attackers could potentially crash affected devices or cause resource exhaustion.

💻 Affected Systems

Products:

Snapdragon Auto
Snapdragon Compute
Snapdragon Connectivity
Snapdragon Consumer IOT
Snapdragon Industrial IOT
Snapdragon IoT
Snapdragon Voice & Music
Snapdragon Wearables

Versions: Specific chipset versions not detailed in public advisory; affected by firmware/driver implementations

Operating Systems: Android-based systems, embedded Linux, RTOS implementations using affected Snapdragon chipsets

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in chipset firmware/drivers; exact affected configurations depend on device manufacturer implementations.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device crash or permanent denial of service requiring physical reset, potentially leading to system instability in critical infrastructure or automotive systems.

🟠

Likely Case

Temporary denial of service causing device reboot or application crashes, disrupting normal operations.

🟢

If Mitigated

Minimal impact with proper input validation and monitoring in place, potentially causing only localized application failures.

🌐 Internet-Facing: MEDIUM - Requires specific malformed input to trigger, but could be exploited remotely if vulnerable services are exposed.

🏢 Internal Only: MEDIUM - Could be exploited through local applications or malicious inputs from within the network.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires sending specific malformed input to trigger the infinite loop condition; complexity depends on access to vulnerable interfaces.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Refer to device manufacturer firmware updates; Qualcomm provided fixes to OEMs

Vendor Advisory: https://www.qualcomm.com/company/product-security/bulletins/august-2021-bulletin

Restart Required: Yes

Instructions:

1. Check with device manufacturer for firmware updates. 2. Apply manufacturer-provided firmware patches. 3. Reboot device after update. 4. Verify patch installation through version checks.

🔧 Temporary Workarounds

Input Validation Enhancement

all

Implement additional input validation at application layer to filter potentially malicious inputs before reaching vulnerable chipset components.

Resource Monitoring

linux

Monitor system resources and implement watchdog timers to detect and recover from potential infinite loop conditions.

🧯 If You Can't Patch

Isolate affected devices from untrusted networks and limit exposure to potential attack vectors.
Implement strict input validation in all applications interfacing with chipset components.

🔍 How to Verify

Check if Vulnerable:

Check device firmware version against manufacturer security bulletins; examine system logs for unexpected reboots or resource exhaustion events.

Check Version:

Device-specific commands vary by manufacturer; typically 'getprop ro.build.version.security_patch' for Android or manufacturer-specific firmware check utilities.

Verify Fix Applied:

Verify firmware version matches manufacturer's patched version; monitor system stability and absence of related crash events.

📡 Detection & Monitoring

Log Indicators:

Unexpected device reboots
Kernel panic logs
Resource exhaustion warnings
Watchdog timeout events

Network Indicators:

Unusual input patterns to device services
Protocol anomalies in chipset communication

SIEM Query:

Search for: (event_category="system_reboot" OR event_category="kernel_panic") AND device_type="snapdragon"

📊 Metadata

CVE ID: CVE-2021-1914

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-835

Published: September 8, 2021

Last Updated: November 21, 2024

🔗 References

https://www.qualcomm.com/company/product-security/bulletins/august-2021-bulletin Vendor Advisory
https://www.qualcomm.com/company/product-security/bulletins/august-2021-bulletin Vendor Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Apq8009 Firmware by Qualcomm

Apq8009w Firmware by Qualcomm

Apq8017 Firmware by Qualcomm

Apq8037 Firmware by Qualcomm

Apq8053 Firmware by Qualcomm

Apq8096au Firmware by Qualcomm

Aqt1000 Firmware by Qualcomm

Csr6030 Firmware by Qualcomm

Csrb31024 Firmware by Qualcomm

Mdm8207 Firmware by Qualcomm

Mdm9150 Firmware by Qualcomm

Mdm9205 Firmware by Qualcomm

Mdm9206 Firmware by Qualcomm

Mdm9207 Firmware by Qualcomm

Mdm9250 Firmware by Qualcomm

Mdm9607 Firmware by Qualcomm

Mdm9628 Firmware by Qualcomm

Mdm9640 Firmware by Qualcomm

Mdm9650 Firmware by Qualcomm

Msm8108 Firmware by Qualcomm

Msm8208 Firmware by Qualcomm

Msm8209 Firmware by Qualcomm

Msm8608 Firmware by Qualcomm

Msm8909w Firmware by Qualcomm

Msm8917 Firmware by Qualcomm

Msm8920 Firmware by Qualcomm

Msm8937 Firmware by Qualcomm

Msm8940 Firmware by Qualcomm

Msm8953 Firmware by Qualcomm

Msm8976 Firmware by Qualcomm

Msm8976sg Firmware by Qualcomm

Msm8996au Firmware by Qualcomm

Qca4004 Firmware by Qualcomm

Qca6174a Firmware by Qualcomm

Qca6310 Firmware by Qualcomm

Qca6320 Firmware by Qualcomm

Qca6335 Firmware by Qualcomm

Qca6390 Firmware by Qualcomm

Qca6391 Firmware by Qualcomm

Qca6420 Firmware by Qualcomm

Qca6421 Firmware by Qualcomm

Qca6426 Firmware by Qualcomm

Qca6430 Firmware by Qualcomm

Qca6431 Firmware by Qualcomm

Qca6436 Firmware by Qualcomm

Qca6564a Firmware by Qualcomm

Qca6564au Firmware by Qualcomm

Qca6574 Firmware by Qualcomm

Qca6574a Firmware by Qualcomm

Qca6574au Firmware by Qualcomm

Qca6584 Firmware by Qualcomm

Qca6584au Firmware by Qualcomm

Qca6595au Firmware by Qualcomm

Qca6694 Firmware by Qualcomm

Qca6694au Firmware by Qualcomm

Qca6696 Firmware by Qualcomm

Qca9367 Firmware by Qualcomm

Qca9377 Firmware by Qualcomm

Qca9379 Firmware by Qualcomm

Qcm4290 Firmware by Qualcomm

Qcm6125 Firmware by Qualcomm

Qcs410 Firmware by Qualcomm

Qcs4290 Firmware by Qualcomm

Qcs603 Firmware by Qualcomm

Qcs605 Firmware by Qualcomm

Qcs610 Firmware by Qualcomm

Qcs6125 Firmware by Qualcomm

Qcx315 Firmware by Qualcomm

Qsw8573 Firmware by Qualcomm

Qualcomm215 Firmware by Qualcomm

Sa415m Firmware by Qualcomm

Sa515m Firmware by Qualcomm

Sa8155 Firmware by Qualcomm

Sa8155p Firmware by Qualcomm

Sc8180x Firmware by Qualcomm

Sd 455 Firmware by Qualcomm

Sd 636 Firmware by Qualcomm