- Jan 8, 2011
Qualcomm is warning of three zero-day vulnerabilities in its GPU and Compute DSP drivers that hackers are actively exploiting in attacks.
The American semiconductor company was told by Google's Threat Analysis Group (TAG) and Project Zero teams that CVE-2023-33106, CVE-2023-33107, CVE-2022-22071, and CVE-2023-33063 may be under limited, targeted exploitation.
This month's security bulletin also warns of three other critical vulnerabilities:
Along with the above, Qualcomm has disclosed 13 high-severity flaws and another three critical-severity vulnerabilities discovered by its engineers.
- CVE-2023-24855: Memory corruption in Qualcomm’s Modem component occurring when processing security-related configurations before the AS Security Exchange. (CVSS v3.1: 9.8)
- CVE-2023-28540: Cryptographic issue in the Data Modem component arising from improper authentication during the TLS handshake. (CVSS v3.1: 9.1)
- CVE-2023-33028: Memory corruption in the WLAN firmware occurring while copying the pmk cache memory without performing size checks. (CVSS v3.1: 9.8)
As the CVE-2023-24855, CVE-2023-2854, and CVE-2023-33028 flaws are all remotely exploitable, they are critical from a security standpoint, but there is no indication they are exploited.
Unfortunately, there isn't a lot impacted consumers can do besides applying the available updates as soon as those reach them through the usual OEM channels.
Flaws in drivers usually require local access to exploit, typically achieved through malware infections, so Android device owners are recommended to limit the number of apps they download and only source them from trustworthy repositories.