Many devices made by Microsoft, Lenovo, Samsung and likely others are affected by potentially serious UEFI firmware vulnerabilities in Qualcomm Snapdragon chips.
Qualcomm announced this week the availability of
patches for a dozen vulnerabilities, including five connectivity- and boot-related issues discovered by researchers at firmware security company Binarly.
Alex Matrosov, founder and CEO of Binarly, told
SecurityWeek that they discovered a total of nine vulnerabilities while analyzing the firmware for Lenovo Thinkpad X13s laptops powered by the Qualcomm Snapdragon system-on-a-chip (SoC).
Further analysis revealed that while some of the nine flaws are specific to Lenovo devices, five of them impact Qualcomm reference code, which means the vulnerabilities are also present in laptops and other devices using Snapdragon chips.
The Snapdragon CPU uses the Arm architecture and Matrosov said this is the first such disclosure of UEFI firmware vulnerabilities related to the Arm device ecosystem.
According to Binarly, the Qualcomm vulnerabilities have been confirmed to impact — in addition to Lenovo devices — Arm-based Microsoft Surface and the
Windows Dev Kit 2023 (Project Volterra) computers, as well as Samsung products.
