CVE-2024-49838
Published: 03 February 2025
Description
Information disclosure while parsing the OCI IE with invalid length.
Security Summary
CVE-2024-49838 is an information disclosure vulnerability that arises while parsing the OCI IE with an invalid length, associated with CWE-126 (Buffer Over-read) and CWE-125 (Out-of-bounds Read). It carries a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L), indicating high severity due to significant confidentiality impact. The vulnerability affects components documented in Qualcomm's security advisories.
A remote, unauthenticated attacker can exploit this vulnerability over the network with low attack complexity and no user interaction required. By sending a specially crafted input with an invalid length in the OCI IE, the attacker can trigger the parsing flaw, resulting in disclosure of sensitive information (high confidentiality impact) alongside a low availability impact from potential denial of service.
Qualcomm's February 2025 security bulletin, available at https://docs.qualcomm.com/product/publicresources/securitybulletin/february-2025-bulletin.html, addresses this CVE with details on affected products and recommended mitigations or patches.
Details
- CWE(s)