Cyber Resilience

CVE-2023-33107

HighCISA KEVActive ExploitationEUVD Exploited

Published: 05 December 2023

Published
05 December 2023
Modified
28 October 2025
KEV Added
05 December 2023
Patch
CVSS Score v3.1 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0040 61.1th percentile
Risk Priority 37 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-33107 is a high-severity Integer Overflow or Wraparound (CWE-190) vulnerability in Qualcomm 315 5G Iot Modem Firmware. Its CVSS base score is 8.4 (High).

Operationally, ranked in the top 38.9% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Deeper analysis

CVE-2023-33107 is a memory corruption vulnerability, tracked under CWE-190, that occurs in the Graphics Linux component when assigning a shared virtual memory region during an IOCTL call. The flaw affects Qualcomm platforms that incorporate this Linux graphics driver code and carries a CVSS 3.1 base score of 8.4, reflecting high impact on confidentiality, integrity, and availability.

An attacker with local access and no privileges can invoke the affected IOCTL to trigger the corruption, enabling arbitrary code execution or denial of service within the graphics subsystem. Because the attack vector is local and requires no user interaction or elevated permissions, the issue can be reached from an untrusted application or compromised process running on the device.

Qualcomm’s December 2023 security bulletin addresses the issue with patches for impacted chipsets and software releases. The vulnerability also appears in CISA’s catalog of known exploited vulnerabilities, confirming observed in-the-wild use; the current EPSS score of 0.004 remains low and shows no material upward trajectory.

EU & UK References

Vulnerability details

Memory corruption in Graphics Linux while assigning shared virtual memory region during IOCTL call.

CWE(s)
KEV Date Added
05 December 2023

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

qualcomm
315 5g iot modem firmware
all versions
qualcomm
apq8017 firmware
all versions
qualcomm
apq8064au firmware
all versions
qualcomm
aqt1000 firmware
all versions
qualcomm
ar8031 firmware
all versions
qualcomm
ar8035 firmware
all versions
qualcomm
c-v2x 9150 firmware
all versions
qualcomm
csra6620 firmware
all versions
qualcomm
csra6640 firmware
all versions
qualcomm
csrb31024 firmware
all versions
+232 more product configuration(s) — see NVD for full list

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of IOCTL parameters to block the integer overflow that triggers memory corruption during shared virtual memory assignment.

prevent

Enforces hardware or software memory protection mechanisms that can prevent or contain the corruption of memory regions exposed via the flawed Graphics Linux IOCTL path.

prevent

Requires process isolation boundaries that limit the blast radius of memory corruption originating in the graphics driver to the affected Qualcomm component.

References