CVE-2024-38412

Medium

Published: 03 February 2025

Published

03 February 2025

Modified

05 February 2025

KEV Added

—

Patch

—

CVSS Score 6.6 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L

EPSS Score 0.0008 22.9th percentile

Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Description

Memory corruption while invoking IOCTL calls from user-space to kernel-space to handle session errors.

Security Summary

CVE-2024-38412 is a memory corruption vulnerability classified under CWE-416 (Use After Free), occurring while invoking IOCTL calls from user-space to kernel-space to handle session errors. It affects Qualcomm components, as documented in their security advisories.

The vulnerability carries a CVSS v3.1 base score of 6.6 (AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L). A local attacker with low privileges can exploit it with low attack complexity and no user interaction required. Successful exploitation enables low-impact confidentiality and availability violations alongside high-impact integrity violations, potentially allowing data tampering or limited code execution in kernel space.

Qualcomm's February 2025 security bulletin, available at https://docs.qualcomm.com/product/publicresources/securitybulletin/february-2025-bulletin.html, details affected products and recommends applying available patches for mitigation.

Details

CWE(s): CWE-416

Affected Products

qualcomm

fastconnect 7800 firmware

all versions

qualcomm

snapdragon 8 gen 3 mobile firmware

all versions

qualcomm

wcd9390 firmware

all versions

qualcomm

wcd9395 firmware

all versions

qualcomm

wsa8840 firmware

all versions

qualcomm

wsa8845 firmware

all versions

qualcomm

wsa8845h firmware

all versions

References

https://docs.qualcomm.com/product/publicresources/securitybulletin/february-2025-bulletin.html
Patch, Vendor Advisory · product-security@qualcomm.com