CVE-2024-49840

CVE-2024-49840 is a memory corruption vulnerability that occurs while invoking IOCTL calls from user-space to validate FIPS encryption or decryption functionality. It is associated with CWE-823 (Access of Uninitialized Pointer) and CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer). The vulnerability affects Qualcomm products, as documented in their public security resources.

The vulnerability has a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating it requires local access with low privileges, low attack complexity, and no user interaction. A local attacker meeting these conditions can exploit the IOCTL interface to trigger memory corruption, potentially achieving high impacts on confidentiality, integrity, and availability, such as arbitrary code execution or kernel compromise.

Qualcomm has published a February 2025 security bulletin addressing this issue at https://docs.qualcomm.com/product/publicresources/securitybulletin/february-2025-bulletin.html, which security practitioners should review for details on affected components, patches, and mitigation recommendations.