Qualcomm Releases Patch for 3 new Zero-Days Under Active Exploitation

Chipmaker Qualcomm has released security updates to address 17 vulnerabilities in various components, while warning that three other zero-days have come under active exploitation.

“There are indications from Google Threat Analysis Group and Google Project Zero that CVE-2023-33106, CVE-2023-33107, CVE-2022-22071, and CVE-2023-33063 may be under limited, targeted exploitation,” the semiconductor company said in an advisory.

CVE-2022-22071 (CVSS score: 8.4), described as a use-after-free in Automotive OS Platform, was originally patched by the company as part of its May 2022 updates.

While additional specifics about the remaining three flaws are expected to be made public in December 2023, the disclosure comes the same day Arm shipped patches for a security flaw in the Mali GPU Kernel Driver (CVE-2023-4211) that has also come under limited, targeted exploitation.

Qualcomm’s October 2023 updates also address three critical issues, although there is no evidence that they have been abused in the wild –

• CVE-2023-24855 (CVSS score: 9.8) – Memory corruption in Modem while processing security related configuration before AS Security Exchange.
• CVE-2023-28540 (CVSS score: 9.1) – Cryptographic issue in Data Modem due to improper authentication during TLS handshake.
• CVE-2023-33028 (CVSS score: 9.8) – Memory corruption in WLAN Firmware while doing a memory copy of pmk cache.

Users are advised to apply updates from original equipment manufacturers (OEMs) as soon as they become available.

Source: https://thehackernews.com/