CVE-2024-33036

Q: What is the severity of CVE-2024-33036?

CVE-2024-33036 has a CVSS score of 6.7 (MEDIUM). This CVE describes a memory corruption vulnerability in Qualcomm camera drivers where a user-space variable is used for kernel memory allocation, potentially leading to buffer overflows or invalid memory access. Attackers could exploit this to execute arbitrary code or cause denial of service. Affected systems include devices using vulnerable Qualcomm chipsets with camera functionality.

6.7 MEDIUM

📋 TL;DR

This CVE describes a memory corruption vulnerability in Qualcomm camera drivers where a user-space variable is used for kernel memory allocation, potentially leading to buffer overflows or invalid memory access. Attackers could exploit this to execute arbitrary code or cause denial of service. Affected systems include devices using vulnerable Qualcomm chipsets with camera functionality.

💻 Affected Systems

Products:

Qualcomm Snapdragon chipsets with camera drivers

Versions: Specific versions not detailed in reference; check Qualcomm December 2024 bulletin

Operating Systems: Android, Linux-based systems using Qualcomm drivers

Default Config Vulnerable: ⚠️ Yes

Notes: Requires camera functionality to be enabled/used. Affects mobile devices, IoT, and embedded systems with Qualcomm chips.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Kernel privilege escalation leading to full system compromise, arbitrary code execution at kernel level, or permanent device bricking.

🟠

Likely Case

Local privilege escalation from user to kernel space, application crashes, or system instability requiring reboot.

🟢

If Mitigated

Denial of service through application crashes if exploit attempts are blocked by security controls.

🌐 Internet-Facing: LOW - Requires local access or malicious app installation, not directly exploitable over network.

🏢 Internal Only: MEDIUM - Malicious apps or compromised user accounts could exploit this locally on affected devices.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires local access and ability to interact with camera driver. No public exploit code known at this time.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check Qualcomm December 2024 security bulletin for specific chipset updates

Vendor Advisory: https://docs.qualcomm.com/product/publicresources/securitybulletin/december-2024-bulletin.html

Restart Required: Yes

Instructions:

1. Check Qualcomm advisory for affected chipset. 2. Obtain firmware/OS update from device manufacturer. 3. Apply update following manufacturer instructions. 4. Reboot device to load patched driver.

🔧 Temporary Workarounds

Disable camera functionality

linux

Temporarily disable camera hardware/driver to prevent exploitation

echo 'blacklist camera_driver_module' >> /etc/modprobe.d/blacklist.conf
rmmod camera_driver_module

Restrict camera permissions

linux

Limit which applications can access camera hardware

chmod 600 /dev/camera*
setenforce 1 (if SELinux enabled)

🧯 If You Can't Patch

Implement strict application whitelisting to prevent malicious camera access
Use kernel hardening features like SELinux/AppArmor to restrict driver interactions

🔍 How to Verify

Check if Vulnerable:

Check Qualcomm chipset version and compare against December 2024 security bulletin. Review dmesg for camera driver errors.

Check Version:

cat /proc/cpuinfo | grep -i qualcomm && uname -r

Verify Fix Applied:

Verify kernel/driver version matches patched version from manufacturer. Test camera functionality works without crashes.

📡 Detection & Monitoring

Log Indicators:

Kernel panic messages
Camera driver crash logs
Unexpected memory allocation failures in kernel logs

Network Indicators:

None - local exploitation only

SIEM Query:

source="kernel" AND ("camera" OR "sensor") AND ("panic" OR "corruption" OR "allocation failed")

📊 Metadata

CVE ID: CVE-2024-33036

CVSS v3 Score: 6.7 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-823

Published: December 2, 2024

Last Updated: December 11, 2024

🔗 References

https://docs.qualcomm.com/product/publicresources/securitybulletin/december-2024-bulletin.html Patch,Vendor Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

C V2x 9150 Firmware by Qualcomm

Fastconnect 6800 Firmware by Qualcomm

Fastconnect 6900 Firmware by Qualcomm

Fastconnect 7800 Firmware by Qualcomm

Qam8295p Firmware by Qualcomm

Qca6391 Firmware by Qualcomm

Qca6426 Firmware by Qualcomm

Qca6436 Firmware by Qualcomm

Qca6574au Firmware by Qualcomm

Qca6696 Firmware by Qualcomm

Qca8337 Firmware by Qualcomm

Qcn9074 Firmware by Qualcomm

Qcs410 Firmware by Qualcomm

Qcs610 Firmware by Qualcomm

Qsm8250 Firmware by Qualcomm

Sa6145p Firmware by Qualcomm

Sa6150p Firmware by Qualcomm

Sa6155p Firmware by Qualcomm

Sa8145p Firmware by Qualcomm

Sa8150p Firmware by Qualcomm

Sa8155p Firmware by Qualcomm

Sa8195p Firmware by Qualcomm

Sa8295p Firmware by Qualcomm

Sa8530p Firmware by Qualcomm

Sa8540p Firmware by Qualcomm

Sa9000p Firmware by Qualcomm

Sd865 5g Firmware by Qualcomm

Sdx55 Firmware by Qualcomm

Snapdragon 8 Gen 1 Mobile Platform Firmware by Qualcomm

Snapdragon 865 5g Mobile Platform Firmware by Qualcomm

Snapdragon 865 5g Mobile Platform Firmware by Qualcomm

Snapdragon 870 5g Mobile Platform Firmware by Qualcomm

Snapdragon W5\+ Gen 1 Wearable Platform Firmware by Qualcomm

Snapdragon X55 5g Modem Rf System Firmware by Qualcomm

Snapdragon Xr2 5g Platform Firmware by Qualcomm

Sw5100 Firmware by Qualcomm

Sw5100p Firmware by Qualcomm

Sxr2130 Firmware by Qualcomm

Video Collaboration Vc1 Platform Firmware by Qualcomm

Video Collaboration Vc3 Platform Firmware by Qualcomm

Wcd9341 Firmware by Qualcomm

Wcd9370 Firmware by Qualcomm

Wcd9380 Firmware by Qualcomm

Wcn3660b Firmware by Qualcomm

Wcn3680b Firmware by Qualcomm

Wcn3950 Firmware by Qualcomm

Wcn3980 Firmware by Qualcomm

Wcn3988 Firmware by Qualcomm

Wsa8810 Firmware by Qualcomm

Wsa8815 Firmware by Qualcomm

Wsa8830 Firmware by Qualcomm

Wsa8835 Firmware by Qualcomm