CVE-2024-33053

Q: What is the severity of CVE-2024-33053?

CVE-2024-33053 has a CVSS score of 6.7 (MEDIUM). CVE-2024-33053 is a use-after-free vulnerability in Qualcomm's CVP buffer management that allows memory corruption when multiple threads simultaneously unregister buffers. This could lead to arbitrary code execution or system crashes on affected Qualcomm devices. The vulnerability affects devices using Qualcomm chipsets with vulnerable CVP firmware.

6.7 MEDIUM

Denial of Service

📋 TL;DR

CVE-2024-33053 is a use-after-free vulnerability in Qualcomm's CVP buffer management that allows memory corruption when multiple threads simultaneously unregister buffers. This could lead to arbitrary code execution or system crashes on affected Qualcomm devices. The vulnerability affects devices using Qualcomm chipsets with vulnerable CVP firmware.

💻 Affected Systems

Products:

Qualcomm chipsets with CVP (Computer Vision Processor) functionality

Versions: Specific firmware versions not publicly detailed in the bulletin; affected versions vary by chipset model.

Operating Systems: Android and other OSes using Qualcomm chipsets

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability is in Qualcomm's firmware/driver layer, affecting multiple device manufacturers using affected chipsets. Check Qualcomm's December 2024 bulletin for specific chipset models.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full device compromise with kernel-level code execution, allowing attackers to bypass security controls, install persistent malware, or brick the device.

🟠

Likely Case

Application crashes, denial of service, or limited privilege escalation within the affected process context.

🟢

If Mitigated

System stability issues or application crashes without code execution if exploit attempts fail or are blocked by security controls.

🌐 Internet-Facing: MEDIUM - Requires local access or malicious app installation, but could be combined with other vulnerabilities for remote exploitation.

🏢 Internal Only: HIGH - Malicious apps or compromised processes could exploit this to escalate privileges or disrupt device functionality.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires multi-threaded timing attacks and local access. No public exploits known as of December 2024.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Refer to Qualcomm's December 2024 security bulletin for specific firmware versions

Vendor Advisory: https://docs.qualcomm.com/product/publicresources/securitybulletin/december-2024-bulletin.html

Restart Required: Yes

Instructions:

1. Check Qualcomm's December 2024 security bulletin for affected chipset models. 2. Contact device manufacturer for firmware updates. 3. Apply firmware updates through manufacturer's update mechanism. 4. Reboot device after update.

🔧 Temporary Workarounds

Disable CVP functionality

all

Disable Computer Vision Processor features if not required

Device-specific; may require manufacturer configuration

Restrict app permissions

android

Limit camera and vision-related permissions to trusted apps only

adb shell pm revoke <package> android.permission.CAMERA
adb shell pm revoke <package> android.permission-group.CAMERA

🧯 If You Can't Patch

Isolate affected devices from critical networks and sensitive data
Implement application allowlisting to prevent untrusted apps from accessing CVP functionality

🔍 How to Verify

Check if Vulnerable:

Check device chipset model and firmware version against Qualcomm's affected list in December 2024 bulletin

Check Version:

adb shell getprop ro.bootloader (for Android devices) or manufacturer-specific firmware check commands

Verify Fix Applied:

Verify firmware version has been updated to a version after the patch release date

📡 Detection & Monitoring

Log Indicators:

Kernel panic logs
CVP driver crash messages
Memory corruption warnings in system logs

Network Indicators:

Unusual local process communication attempts to CVP services

SIEM Query:

Device logs showing CVP service crashes OR kernel memory corruption events

📊 Metadata

CVE ID: CVE-2024-33053

CVSS v3 Score: 6.7 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-416

Published: December 2, 2024

Last Updated: December 12, 2024

🔗 References

https://docs.qualcomm.com/product/publicresources/securitybulletin/december-2024-bulletin.html Patch,Vendor Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

C V2x 9150 Firmware by Qualcomm

Fastconnect 6200 Firmware by Qualcomm

Fastconnect 6800 Firmware by Qualcomm

Fastconnect 6900 Firmware by Qualcomm

Qam8295p Firmware by Qualcomm

Qca6391 Firmware by Qualcomm

Qca6426 Firmware by Qualcomm

Qca6436 Firmware by Qualcomm

Qca6574au Firmware by Qualcomm

Qca6696 Firmware by Qualcomm

Qca8337 Firmware by Qualcomm

Qcn9074 Firmware by Qualcomm

Qcs410 Firmware by Qualcomm

Qcs610 Firmware by Qualcomm

Qsm8250 Firmware by Qualcomm

Sa6145p Firmware by Qualcomm

Sa6150p Firmware by Qualcomm

Sa6155p Firmware by Qualcomm

Sa8145p Firmware by Qualcomm

Sa8150p Firmware by Qualcomm

Sa8155p Firmware by Qualcomm

Sa8195p Firmware by Qualcomm

Sa8295p Firmware by Qualcomm

Sa8530p Firmware by Qualcomm

Sa8540p Firmware by Qualcomm

Sa9000p Firmware by Qualcomm

Sd865 5g Firmware by Qualcomm

Sdx55 Firmware by Qualcomm

Sm7250p Firmware by Qualcomm

Snapdragon 690 5g Mobile Platform Firmware by Qualcomm

Snapdragon 750g 5g Mobile Platform Firmware by Qualcomm

Snapdragon 765 5g Mobile Platform Firmware by Qualcomm

Snapdragon 765g 5g Mobile Platform Firmware by Qualcomm

Snapdragon 768g 5g Mobile Platform Firmware by Qualcomm

Snapdragon 865 5g Mobile Platform Firmware by Qualcomm

Snapdragon 865 5g Mobile Platform Firmware by Qualcomm

Snapdragon 870 5g Mobile Platform Firmware by Qualcomm

Snapdragon X55 5g Modem Rf System Firmware by Qualcomm

Snapdragon Xr2 5g Platform Firmware by Qualcomm

Sxr2130 Firmware by Qualcomm

Video Collaboration Vc1 Platform Firmware by Qualcomm

Video Collaboration Vc3 Platform Firmware by Qualcomm

Wcd9341 Firmware by Qualcomm

Wcd9370 Firmware by Qualcomm

Wcd9375 Firmware by Qualcomm

Wcd9380 Firmware by Qualcomm

Wcd9385 Firmware by Qualcomm

Wcn3660b Firmware by Qualcomm

Wcn3680b Firmware by Qualcomm

Wcn3950 Firmware by Qualcomm

Wcn3980 Firmware by Qualcomm

Wcn3988 Firmware by Qualcomm

Wsa8810 Firmware by Qualcomm

Wsa8815 Firmware by Qualcomm

Wsa8830 Firmware by Qualcomm

Wsa8835 Firmware by Qualcomm