CVE-2023-33107
Published: 05 December 2023
Summary
CVE-2023-33107 is a high-severity Integer Overflow or Wraparound (CWE-190) vulnerability in Qualcomm 315 5G Iot Modem Firmware. Its CVSS base score is 8.4 (High).
Operationally, ranked in the top 38.9% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Deeper analysis
CVE-2023-33107 is a memory corruption vulnerability, tracked under CWE-190, that occurs in the Graphics Linux component when assigning a shared virtual memory region during an IOCTL call. The flaw affects Qualcomm platforms that incorporate this Linux graphics driver code and carries a CVSS 3.1 base score of 8.4, reflecting high impact on confidentiality, integrity, and availability.
An attacker with local access and no privileges can invoke the affected IOCTL to trigger the corruption, enabling arbitrary code execution or denial of service within the graphics subsystem. Because the attack vector is local and requires no user interaction or elevated permissions, the issue can be reached from an untrusted application or compromised process running on the device.
Qualcomm’s December 2023 security bulletin addresses the issue with patches for impacted chipsets and software releases. The vulnerability also appears in CISA’s catalog of known exploited vulnerabilities, confirming observed in-the-wild use; the current EPSS score of 0.004 remains low and shows no material upward trajectory.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-37296
Vulnerability details
Memory corruption in Graphics Linux while assigning shared virtual memory region during IOCTL call.
- CWE(s)
- KEV Date Added
- 05 December 2023
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of IOCTL parameters to block the integer overflow that triggers memory corruption during shared virtual memory assignment.
Enforces hardware or software memory protection mechanisms that can prevent or contain the corruption of memory regions exposed via the flawed Graphics Linux IOCTL path.
Requires process isolation boundaries that limit the blast radius of memory corruption originating in the graphics driver to the affected Qualcomm component.