CVE-2024-49837

CVE-2024-49837 is a memory corruption vulnerability, classified under CWE-129 (Improper Validation of Array Index), that occurs while reading CPU state data during guest VM suspend operations. It affects Qualcomm software components, as documented in their February 2025 security bulletin. The vulnerability received a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact.

A local attacker with low privileges (PR:L) can exploit this vulnerability with low attack complexity (AC:L) and no user interaction required (UI:N). Successful exploitation allows the attacker to achieve high levels of confidentiality, integrity, and availability impacts (C:H/I:H/A:H) within the same security scope (S:U), potentially leading to arbitrary code execution or system compromise on the affected host during guest VM suspend processes.

Mitigation details and patches are outlined in Qualcomm's February 2025 security bulletin, available at https://docs.qualcomm.com/product/publicresources/securitybulletin/february-2025-bulletin.html. Security practitioners should consult this advisory for specific remediation steps tailored to impacted products.