CVE-2024-33028

Q: What is the severity of CVE-2024-33028?

CVE-2024-33028 has a CVSS score of 8.4 (HIGH). This CVE describes a use-after-free vulnerability in Qualcomm graphics drivers where a fence object may still be accessed after being released during timeline destruction. This memory corruption could allow attackers to execute arbitrary code or cause denial of service. Affected systems include devices with vulnerable Qualcomm GPU drivers.

8.4 HIGH

📋 TL;DR

This CVE describes a use-after-free vulnerability in Qualcomm graphics drivers where a fence object may still be accessed after being released during timeline destruction. This memory corruption could allow attackers to execute arbitrary code or cause denial of service. Affected systems include devices with vulnerable Qualcomm GPU drivers.

💻 Affected Systems

Products:

Qualcomm Adreno GPU drivers
Devices with Qualcomm Snapdragon processors

Versions: Multiple versions prior to August 2024 security updates

Operating Systems: Android, Linux-based systems with Qualcomm drivers

Default Config Vulnerable: ⚠️ Yes

Notes: Specific affected driver versions vary by device model and chipset

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution with kernel privileges leading to complete system compromise

🟠

Likely Case

Local privilege escalation or denial of service through application crashes

🟢

If Mitigated

Application crashes without privilege escalation if exploit fails

🌐 Internet-Facing: LOW (requires local access to graphics APIs)

🏢 Internal Only: MEDIUM (local attackers could exploit for privilege escalation)

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires local access to graphics APIs and precise timing to trigger use-after-free

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: August 2024 security updates

Vendor Advisory: https://docs.qualcomm.com/product/publicresources/securitybulletin/august-2024-bulletin.html

Restart Required: Yes

Instructions:

1. Check device manufacturer for August 2024 security updates. 2. Apply Qualcomm GPU driver updates. 3. Reboot device. 4. Verify patch installation.

🔧 Temporary Workarounds

Restrict graphics API access

all

Limit which applications can access low-level graphics APIs

🧯 If You Can't Patch

Implement strict application sandboxing to limit graphics API access
Monitor for abnormal graphics driver crashes or memory corruption events

🔍 How to Verify

Check if Vulnerable:

Check GPU driver version against Qualcomm's August 2024 security bulletin

Check Version:

adb shell getprop ro.build.version.security_patch (Android) or check GPU driver version in system logs

Verify Fix Applied:

Verify GPU driver version is updated to August 2024 or later security patch level

📡 Detection & Monitoring

Log Indicators:

GPU driver crashes
Memory corruption errors in kernel logs
Abnormal fence object operations

Network Indicators:

None (local vulnerability)

SIEM Query:

source="kernel" AND ("GPU" OR "fence" OR "timeline") AND ("crash" OR "corruption" OR "use-after-free")

📊 Metadata

CVE ID: CVE-2024-33028

CVSS v3 Score: 8.4 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-416

Published: August 5, 2024

Last Updated: November 20, 2024

🔗 References

https://docs.qualcomm.com/product/publicresources/securitybulletin/august-2024-bulletin.html Patch,Vendor Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Ar8035 Firmware by Qualcomm

Csra6620 Firmware by Qualcomm

Csra6640 Firmware by Qualcomm

Fastconnect 6200 Firmware by Qualcomm

Fastconnect 6700 Firmware by Qualcomm

Fastconnect 6900 Firmware by Qualcomm

Fastconnect 7800 Firmware by Qualcomm

Flight Rb5 5g Platform Firmware by Qualcomm

Mdm9628 Firmware by Qualcomm

Qam8255p Firmware by Qualcomm

Qam8295p Firmware by Qualcomm

Qam8620p Firmware by Qualcomm

Qam8650p Firmware by Qualcomm

Qam8775p Firmware by Qualcomm

Qamsrv1h Firmware by Qualcomm

Qamsrv1m Firmware by Qualcomm

Qca6174a Firmware by Qualcomm

Qca6391 Firmware by Qualcomm

Qca6564a Firmware by Qualcomm

Qca6564au Firmware by Qualcomm

Qca6574 Firmware by Qualcomm

Qca6574a Firmware by Qualcomm

Qca6574au Firmware by Qualcomm

Qca6584au Firmware by Qualcomm

Qca6595 Firmware by Qualcomm

Qca6595au Firmware by Qualcomm

Qca6678aq Firmware by Qualcomm

Qca6688aq Firmware by Qualcomm

Qca6696 Firmware by Qualcomm

Qca6698aq Firmware by Qualcomm

Qca6797aq Firmware by Qualcomm

Qca8081 Firmware by Qualcomm

Qca8337 Firmware by Qualcomm

Qca9367 Firmware by Qualcomm

Qca9377 Firmware by Qualcomm

Qcc710 Firmware by Qualcomm

Qcm4325 Firmware by Qualcomm

Qcm5430 Firmware by Qualcomm

Qcm6125 Firmware by Qualcomm

Qcm6490 Firmware by Qualcomm

Qcm8550 Firmware by Qualcomm

Qcn6224 Firmware by Qualcomm

Qcn6274 Firmware by Qualcomm

Qcn9011 Firmware by Qualcomm

Qcn9012 Firmware by Qualcomm

Qcs410 Firmware by Qualcomm

Qcs5430 Firmware by Qualcomm

Qcs610 Firmware by Qualcomm

Qcs6125 Firmware by Qualcomm

Qcs6490 Firmware by Qualcomm

Qcs7230 Firmware by Qualcomm

Qcs8250 Firmware by Qualcomm

Qcs8550 Firmware by Qualcomm

Qdu1000 Firmware by Qualcomm

Qdu1010 Firmware by Qualcomm

Qdu1110 Firmware by Qualcomm

Qdu1210 Firmware by Qualcomm

Qdx1010 Firmware by Qualcomm

Qdx1011 Firmware by Qualcomm

Qep8111 Firmware by Qualcomm

Qfw7114 Firmware by Qualcomm

Qfw7124 Firmware by Qualcomm

Qrb5165m Firmware by Qualcomm

Qrb5165n Firmware by Qualcomm

Qru1032 Firmware by Qualcomm

Qru1052 Firmware by Qualcomm

Qru1062 Firmware by Qualcomm

Robotics Rb5 Platform Firmware by Qualcomm

Sa4150p Firmware by Qualcomm

Sa4155p Firmware by Qualcomm

Sa6145p Firmware by Qualcomm

Sa6150p Firmware by Qualcomm

Sa6155p Firmware by Qualcomm

Sa7255p Firmware by Qualcomm

Sa7775p Firmware by Qualcomm

Sa8145p Firmware by Qualcomm

Sa8150p Firmware by Qualcomm