CVE-2021-35104
📋 TL;DR
This vulnerability allows remote attackers to execute arbitrary code on affected Qualcomm Snapdragon devices by exploiting a buffer overflow in the FLAC audio header parser. Attackers can trigger this by tricking users into playing a malicious FLAC audio file. The vulnerability affects a wide range of Qualcomm-powered devices across automotive, IoT, wearables, and networking products.
💻 Affected Systems
- Snapdragon Auto
- Snapdragon Compute
- Snapdragon Connectivity
- Snapdragon Consumer IOT
- Snapdragon Industrial IOT
- Snapdragon Voice & Music
- Snapdragon Wearables
- Snapdragon Wired Infrastructure and Networking
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution with full system compromise, potentially allowing attackers to take complete control of affected devices, steal sensitive data, or deploy persistent malware.
Likely Case
Remote code execution leading to application crashes, denial of service, or limited privilege escalation depending on the context of the vulnerable audio processing component.
If Mitigated
Application crash or denial of service if exploit attempts are blocked by memory protection mechanisms, but no code execution.
🎯 Exploit Status
Exploitation requires user interaction to play a malicious FLAC file, but no authentication is needed once the file is processed. The buffer overflow nature suggests reliable exploitation is possible with proper crafting.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Refer to Qualcomm's April 2022 security bulletin for specific chipset/firmware versions
Vendor Advisory: https://www.qualcomm.com/company/product-security/bulletins/april-2022-bulletin
Restart Required: Yes
Instructions:
1. Check Qualcomm's April 2022 security bulletin for your specific chipset. 2. Contact your device manufacturer for firmware updates. 3. Apply the firmware update following manufacturer instructions. 4. Reboot the device after update completion.
🔧 Temporary Workarounds
Disable FLAC playback
allRemove or disable FLAC audio codec support to prevent processing of malicious FLAC files
Specific commands depend on device configuration and OS; consult manufacturer documentation
Application sandboxing
linuxRun audio processing components with reduced privileges to limit impact of potential exploitation
Implement SELinux/AppArmor policies to restrict audio service permissions
🧯 If You Can't Patch
- Network segmentation to isolate vulnerable devices from untrusted networks
- Implement application allowlisting to prevent execution of unauthorized code
🔍 How to Verify
Check if Vulnerable:
Check device firmware version against Qualcomm's patched versions in the April 2022 bulletin. Use 'getprop ro.build.fingerprint' on Android or similar system queries on other platforms.Check Version:
Platform-specific: Android: 'getprop ro.build.fingerprint' or 'getprop ro.build.version.security_patch'; Linux: check /proc/version or manufacturer-specific version filesVerify Fix Applied:
Confirm firmware version has been updated to a patched version listed in Qualcomm's advisory. Test FLAC playback functionality to ensure it still works without crashes.📡 Detection & Monitoring
Log Indicators:
- Audio service crashes
- FLAC parsing errors in system logs
- Memory access violation logs
Network Indicators:
- Unexpected FLAC file transfers to devices
- Network traffic patterns suggesting exploit delivery
SIEM Query:
Example: 'event_category:application_crash AND process_name:audio* OR codec*' combined with file_type:flac indicators