CVE-2023-33063
Published: 05 December 2023
Summary
CVE-2023-33063 is a high-severity Use After Free (CWE-416) vulnerability in Qualcomm 315 5G Iot Modem Firmware. Its CVSS base score is 7.8 (High).
Operationally, ranked in the top 36.4% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-39 (Process Isolation) and SI-16 (Memory Protection).
Deeper analysis
CVE-2023-33063 is a memory corruption vulnerability, specifically a use-after-free issue tracked as CWE-416, that occurs in DSP Services when handling a remote procedure call originating from the High-Level Operating System (HLOS) to the DSP. The flaw affects Qualcomm chipsets that implement these DSP services and carries a CVSS 3.1 base score of 7.8.
An attacker with local access and low privileges on an affected device can trigger the flaw by issuing a crafted remote call, resulting in arbitrary code execution or memory corruption that yields full control over confidentiality, integrity, and availability of the DSP environment without user interaction.
Qualcomm’s December 2023 security bulletin addresses the issue and directs vendors to apply the corresponding firmware and driver updates. The vulnerability is also catalogued in CISA’s Known Exploited Vulnerabilities list, confirming observed in-the-wild exploitation. The current EPSS score of 0.0044 remains low and shows no material upward movement.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-37252
Vulnerability details
Memory corruption in DSP Services during a remote call from HLOS to DSP.
- CWE(s)
- KEV Date Added
- 05 December 2023
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces memory protection mechanisms that prevent use-after-free corruption in DSP Services during HLOS remote calls.
Requires process isolation between HLOS and DSP address spaces so a crafted call cannot corrupt DSP memory.
Mandates timely application of vendor patches that eliminate the use-after-free flaw in DSP Services.