CVE-2024-38420

CVE-2024-38420 is a memory corruption vulnerability that occurs while configuring a hypervisor-based input virtual device. It is associated with CWE-20 (Improper Input Validation) and CWE-787 (Out-of-bounds Write), carrying a CVSS v3.1 base score of 8.8 (AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H). The vulnerability affects Qualcomm products, as documented in their public security resources.

A local attacker with low privileges can exploit this vulnerability with low complexity and no user interaction required. Successful exploitation grants high impacts on confidentiality, integrity, and availability, with a changed scope that elevates privileges, potentially enabling full system compromise such as arbitrary code execution in a privileged context.

Qualcomm's February 2025 security bulletin provides details on the vulnerability, including affected products and recommended mitigations: https://docs.qualcomm.com/product/publicresources/securitybulletin/february-2025-bulletin.html. Security practitioners should consult this advisory for patching instructions and apply updates promptly to vulnerable devices.