Cyber Posture

CVE-2024-45561

High

Published: 03 February 2025

Published
03 February 2025
Modified
05 February 2025
KEV Added
Patch
CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0011 29.8th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

Memory corruption while handling IOCTL call from user-space to set latency level.

Security Summary

CVE-2024-45561 is a memory corruption vulnerability, associated with CWE-126 (Buffer Over-read) and CWE-416 (Use After Free), that occurs while handling an IOCTL call from user-space to set latency level. It affects Qualcomm components, as documented in their public security resources.

The vulnerability has a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating a local attack vector with low attack complexity and low required privileges. A local attacker could exploit it by sending a specially crafted IOCTL call, potentially achieving high impacts on confidentiality, integrity, and availability, such as arbitrary code execution in the context of the affected component.

Qualcomm's February 2025 security bulletin provides details on affected products and mitigation, available at https://docs.qualcomm.com/product/publicresources/securitybulletin/february-2025-bulletin.html.

Details

CWE(s)
CWE-126CWE-416

Affected Products

qualcomm
aqt1000 firmware
all versions
qualcomm
fastconnect 6200 firmware
all versions
qualcomm
fastconnect 6700 firmware
all versions
qualcomm
fastconnect 6800 firmware
all versions
qualcomm
fastconnect 6900 firmware
all versions
qualcomm
fastconnect 7800 firmware
all versions
qualcomm
qca6391 firmware
all versions
qualcomm
qca6420 firmware
all versions
qualcomm
qca6430 firmware
all versions
qualcomm
qcc2073 firmware
all versions
+22 more product configuration(s) — see NVD for full list

References