CVE-2023-33054

Q: What is the severity of CVE-2023-33054?

CVE-2023-33054 has a CVSS score of 9.1 (CRITICAL). CVE-2023-33054 is a cryptographic vulnerability in Qualcomm's GPS HLOS driver that allows improper authentication when downloading GNSS assistance data. This affects Android devices with Qualcomm chipsets, potentially enabling attackers to spoof GPS data or execute arbitrary code. The vulnerability impacts mobile devices, IoT devices, and automotive systems using affected Qualcomm components.

9.1 CRITICAL

📋 TL;DR

CVE-2023-33054 is a cryptographic vulnerability in Qualcomm's GPS HLOS driver that allows improper authentication when downloading GNSS assistance data. This affects Android devices with Qualcomm chipsets, potentially enabling attackers to spoof GPS data or execute arbitrary code. The vulnerability impacts mobile devices, IoT devices, and automotive systems using affected Qualcomm components.

💻 Affected Systems

Products:

Qualcomm Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables

Versions: Multiple Qualcomm chipset versions prior to December 2023 security updates

Operating Systems: Android, Linux-based systems using Qualcomm GNSS components

Default Config Vulnerable: ⚠️ Yes

Notes: Affects devices with Qualcomm GNSS/GPS functionality enabled. The vulnerability is in the HLOS (High Level Operating System) driver component.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution with kernel privileges leading to complete device compromise, persistent backdoor installation, and GPS spoofing for location tracking manipulation.

🟠

Likely Case

GPS data manipulation leading to location spoofing, denial of service for location services, and potential information disclosure.

🟢

If Mitigated

Limited to GPS functionality disruption with no system compromise if proper network segmentation and access controls are implemented.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires sending specially crafted GNSS assistance data to the vulnerable driver. No public exploit code is available as of knowledge cutoff.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: December 2023 Qualcomm security bulletin patches

Vendor Advisory: https://www.qualcomm.com/company/product-security/bulletins/december-2023-bulletin

Restart Required: Yes

Instructions:

1. Check device manufacturer for security updates. 2. Apply December 2023 or later Qualcomm security patches. 3. Update Android security patch level to December 2023 or later. 4. Reboot device after update.

🔧 Temporary Workarounds

Disable GNSS assistance data download

android

Prevent the vulnerable driver from downloading external GNSS assistance data

adb shell settings put secure location_providers_allowed -gps
adb shell pm disable com.qualcomm.location

Network filtering

linux

Block GNSS assistance data servers at network perimeter

iptables -A OUTPUT -p tcp --dport 443 -d supl.google.com -j DROP
iptables -A OUTPUT -p tcp --dport 443 -d supl.qualcomm.com -j DROP

🧯 If You Can't Patch

Segment affected devices on isolated networks without internet access
Implement strict firewall rules to block all GNSS assistance data traffic

🔍 How to Verify

Check if Vulnerable:

Check Android security patch level: Settings > About phone > Android security patch level. If before December 2023, likely vulnerable.

Check Version:

adb shell getprop ro.build.version.security_patch

Verify Fix Applied:

Verify Android security patch level is December 2023 or later and Qualcomm driver version has been updated.

📡 Detection & Monitoring

Log Indicators:

Unusual GNSS assistance data download patterns
GPS driver crash logs
Unexpected location service behavior

Network Indicators:

Traffic to GNSS assistance servers (supl.google.com, supl.qualcomm.com) with abnormal patterns
GPS data manipulation attempts

SIEM Query:

source="android_logs" AND ("GNSS" OR "GPS") AND ("crash" OR "error" OR "assistance data")

📊 Metadata

CVE ID: CVE-2023-33054

CVSS v3 Score: 9.1 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CWE: CWE-287

Published: December 5, 2023

Last Updated: August 11, 2025

🔗 References

https://www.qualcomm.com/company/product-security/bulletins/december-2023-bulletin Vendor Advisory
https://www.qualcomm.com/company/product-security/bulletins/december-2023-bulletin Vendor Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

315 5g Iot Modem Firmware by Qualcomm

8098 Firmware by Qualcomm

8998 Firmware by Qualcomm

Apq5053 Aa Firmware by Qualcomm

Aqt1000 Firmware by Qualcomm

Ar8035 Firmware by Qualcomm

Csra6620 Firmware by Qualcomm

Csra6640 Firmware by Qualcomm

Qam8295p Firmware by Qualcomm

Qca6174a Firmware by Qualcomm

Qca6310 Firmware by Qualcomm

Qca6320 Firmware by Qualcomm

Qca6335 Firmware by Qualcomm

Qca6391 Firmware by Qualcomm

Qca6420 Firmware by Qualcomm

Qca6421 Firmware by Qualcomm

Qca6426 Firmware by Qualcomm

Qca6430 Firmware by Qualcomm

Qca6431 Firmware by Qualcomm

Qca6436 Firmware by Qualcomm

Qca6574 Firmware by Qualcomm

Qca6574a Firmware by Qualcomm

Qca6574au Firmware by Qualcomm

Qca6584au Firmware by Qualcomm

Qca6595 Firmware by Qualcomm

Qca6595au Firmware by Qualcomm

Qca6696 Firmware by Qualcomm

Qca6698aq Firmware by Qualcomm

Qca8081 Firmware by Qualcomm

Qca8337 Firmware by Qualcomm

Qca9377 Firmware by Qualcomm

Qcc710 Firmware by Qualcomm

Qcm2290 Firmware by Qualcomm

Qcm4290 Firmware by Qualcomm

Qcm4325 Firmware by Qualcomm

Qcm4490 Firmware by Qualcomm

Qcm5430 Firmware by Qualcomm

Qcm6125 Firmware by Qualcomm

Qcm6490 Firmware by Qualcomm

Qcm8550 Firmware by Qualcomm

Qcn6024 Firmware by Qualcomm

Qcn6224 Firmware by Qualcomm

Qcn6274 Firmware by Qualcomm

Qcn9024 Firmware by Qualcomm

Qcs2290 Firmware by Qualcomm

Qcs410 Firmware by Qualcomm

Qcs4290 Firmware by Qualcomm

Qcs4490 Firmware by Qualcomm

Qcs5430 Firmware by Qualcomm

Qcs603 Firmware by Qualcomm

Qcs605 Firmware by Qualcomm

Qcs610 Firmware by Qualcomm

Qcs6125 Firmware by Qualcomm

Qcs6490 Firmware by Qualcomm

Qcs8250 Firmware by Qualcomm

Qcs8550 Firmware by Qualcomm

Qfw7114 Firmware by Qualcomm

Qfw7124 Firmware by Qualcomm

Qm215 Firmware by Qualcomm

Sa6145p Firmware by Qualcomm

Sa6150p Firmware by Qualcomm

Sa6155 Firmware by Qualcomm

Sa6155p Firmware by Qualcomm

Sa8145p Firmware by Qualcomm

Sa8150p Firmware by Qualcomm

Sa8155 Firmware by Qualcomm

Sa8155p Firmware by Qualcomm

Sa8195p Firmware by Qualcomm

Sa8295p Firmware by Qualcomm

Sd660 Firmware by Qualcomm

Sd730 Firmware by Qualcomm

Sd835 Firmware by Qualcomm

Sd855 Firmware by Qualcomm

Sd865 5g Firmware by Qualcomm

Sd888 Firmware by Qualcomm

Sda845 Firmware by Qualcomm

Sdm660 Firmware by Qualcomm