CVE-2024-45555
Published: 06 January 2025
Description
Memory corruption can occur if an already verified IFS2 image is overwritten, bypassing boot verification. This allows unauthorized programs to be injected into security-sensitive images, enabling the booting of a tampered IFS2 system image.
Security Summary
CVE-2024-45555 is a memory corruption vulnerability (CWE-787, CWE-190) in the IFS2 image verification process within Qualcomm products. It arises when an already verified IFS2 image is overwritten, bypassing boot verification mechanisms. This flaw allows unauthorized programs to be injected into security-sensitive images, enabling the booting of a tampered IFS2 system image. The vulnerability has a CVSS v3.1 base score of 8.4 (AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and was published on 2025-01-06.
A local attacker can exploit this vulnerability with low attack complexity and no privileges or user interaction required. By overwriting the verified IFS2 image, the attacker achieves memory corruption, injecting malicious code into security-sensitive boot images. Successful exploitation enables booting a fully tampered IFS2 system image, compromising confidentiality, integrity, and availability at a high level.
Mitigation details are provided in the Qualcomm January 2025 Security Bulletin, available at https://docs.qualcomm.com/product/publicresources/securitybulletin/january-2025-bulletin.html.
Details
- CWE(s)