CVE-2024-45554

Q: What is the severity of CVE-2024-45554?

CVE-2024-45554 has a CVSS score of 7.8 (HIGH). This vulnerability allows attackers to cause memory corruption through a race condition in concurrent SSR execution on Qualcomm devices. It affects systems using Qualcomm chipsets with vulnerable firmware, potentially leading to arbitrary code execution or denial of service.

7.8 HIGH

📋 TL;DR

This vulnerability allows attackers to cause memory corruption through a race condition in concurrent SSR execution on Qualcomm devices. It affects systems using Qualcomm chipsets with vulnerable firmware, potentially leading to arbitrary code execution or denial of service.

💻 Affected Systems

Products:

Qualcomm chipsets with vulnerable firmware

Versions: Specific firmware versions listed in Qualcomm May 2025 bulletin

Operating Systems: Android, Linux-based systems using Qualcomm chips

Default Config Vulnerable: ⚠️ Yes

Notes: Affects devices with concurrent SSR execution enabled

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution with kernel privileges leading to complete system compromise

🟠

Likely Case

System crash or denial of service resulting in device instability

🟢

If Mitigated

Limited impact with proper memory protection mechanisms and exploit mitigations

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: HIGH

Requires race condition triggering and memory corruption exploitation

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Firmware updates specified in Qualcomm May 2025 security bulletin

Vendor Advisory: https://docs.qualcomm.com/product/publicresources/securitybulletin/may-2025-bulletin.html

Restart Required: Yes

Instructions:

1. Check Qualcomm advisory for affected chipset/firmware versions. 2. Obtain firmware update from device manufacturer. 3. Apply firmware update following manufacturer instructions. 4. Reboot device.

🔧 Temporary Workarounds

Disable concurrent SSR execution

linux

Prevents the race condition by disabling simultaneous SSR operations

echo 0 > /sys/kernel/debug/ssr/enable_concurrent

🧯 If You Can't Patch

Implement strict access controls to limit who can trigger SSR operations
Deploy exploit mitigation technologies like ASLR and stack canaries

🔍 How to Verify

Check if Vulnerable:

Check firmware version against Qualcomm advisory list: cat /proc/version

Check Version:

cat /proc/version | grep -i qualcomm

Verify Fix Applied:

Verify firmware version has been updated to patched version

📡 Detection & Monitoring

Log Indicators:

Kernel panic logs
SSR-related crash dumps
Memory corruption warnings in dmesg

Network Indicators:

Unusual SSR-related network traffic patterns

SIEM Query:

source="kernel" AND ("panic" OR "corruption" OR "ssr")

📊 Metadata

CVE ID: CVE-2024-45554

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-416

EPSS Score: 0.02% exploit probability (3.6th percentile)

Published: May 6, 2025

Last Updated: May 9, 2025

🔗 References

https://docs.qualcomm.com/product/publicresources/securitybulletin/may-2025-bulletin.html Patch,Vendor Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Fastconnect 6900 Firmware by Qualcomm

Fastconnect 7800 Firmware by Qualcomm

Qca6174a Firmware by Qualcomm

Sdm429w Firmware by Qualcomm

Snapdragon 429 Mobile Firmware by Qualcomm

Snapdragon 8 Gen 1 Mobile Firmware by Qualcomm

Snapdragon 888 5g Mobile Firmware by Qualcomm

Snapdragon 888 5g Mobile Firmware by Qualcomm

Sw5100 Firmware by Qualcomm

Sw5100p Firmware by Qualcomm

Sxr2230p Firmware by Qualcomm

Sxr2250p Firmware by Qualcomm

Wcd9380 Firmware by Qualcomm

Wcd9385 Firmware by Qualcomm

Wcn3620 Firmware by Qualcomm

Wcn3660b Firmware by Qualcomm

Wcn3980 Firmware by Qualcomm

Wcn3988 Firmware by Qualcomm

Wsa8830 Firmware by Qualcomm

Wsa8832 Firmware by Qualcomm

Wsa8835 Firmware by Qualcomm