CVE-2021-1906
Published: 07 May 2021
Summary
CVE-2021-1906 is a medium-severity an unspecified weakness vulnerability in Qualcomm Sd675 Firmware. Its CVSS base score is 6.2 (Medium).
Operationally, ranked at the 33.7th percentile by exploit likelihood (below the median); CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-24 (Fail in Known State) and SI-11 (Error Handling).
Deeper analysis
CVE-2021-1906 is an improper handling of address deregistration on failure that can lead to subsequent GPU address allocation failures. The issue affects Qualcomm Snapdragon Auto, Compute, Connectivity, Consumer IOT, Industrial IOT, Mobile, Voice & Music, and Wearables platforms.
A local attacker with no privileges required can trigger the flaw to produce a denial-of-service condition that prevents new GPU address allocations, resulting in high availability impact with no effect on confidentiality or integrity.
Qualcomm's May 2021 security bulletin addresses the vulnerability, and the issue appears in CISA's catalog of known exploited vulnerabilities.
The CVSS 6.2 score reflects the local attack vector and the resulting availability consequences on affected Snapdragon devices.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2021-7370
Vulnerability details
Improper handling of address deregistration on failure can lead to new GPU address allocation failure. in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables
- CWE(s)
- KEV Date Added
- 03 November 2021
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires proper error handling for failures such as address deregistration, preventing the subsequent GPU allocation DoS described in CVE-2021-1906.
Ensures the GPU address-management component fails in a known state rather than leaving deregistration incomplete and blocking future allocations.
Limits the effects of resource-management failures on GPU address availability, directly mitigating the high-availability impact of this local flaw.