Cyber Posture

CVE-2024-49843

High

Published: 03 February 2025

Published
03 February 2025
Modified
05 February 2025
KEV Added
Patch
CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0015 34.6th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

Memory corruption while processing IOCTL from user space to handle GPU AHB bus error.

Security Summary

CVE-2024-49843 is a memory corruption vulnerability stemming from improper validation of array index (CWE-129) during the processing of IOCTL calls from user space intended to handle GPU AHB bus errors. It affects Qualcomm components, as detailed in the vendor's security bulletin.

The vulnerability carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating exploitation requires local access with low privileges and low complexity, with no user interaction needed. A malicious local user could send a crafted IOCTL request, triggering memory corruption that enables high-impact compromise of confidentiality, integrity, and availability, such as arbitrary code execution or system crashes.

Qualcomm's February 2025 security bulletin at https://docs.qualcomm.com/product/publicresources/securitybulletin/february-2025-bulletin.html outlines affected products and recommends applying vendor-provided patches for mitigation.

Details

CWE(s)
CWE-129

Affected Products

qualcomm
fastconnect 6200 firmware
all versions
qualcomm
fastconnect 7800 firmware
all versions
qualcomm
qca6391 firmware
all versions
qualcomm
qcm6125 firmware
all versions
qualcomm
qcs6125 firmware
all versions
qualcomm
qcs7230 firmware
all versions
qualcomm
qcs8250 firmware
all versions
qualcomm
video collaboration vc1 platform firmware
all versions
qualcomm
video collaboration vc5 platform firmware
all versions
qualcomm
sm4635 firmware
all versions
+42 more product configuration(s) — see NVD for full list

References