Cyber Resilience

CVE-2024-21464

High

Published: 06 January 2025

Published
06 January 2025
Modified
10 January 2025
KEV Added
Patch
CVSS Score v3.1 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0015 35.7th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-21464 is a high-severity Classic Buffer Overflow (CWE-120) vulnerability in Qualcomm Fastconnect 6700 Firmware. Its CVSS base score is 8.4 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 35.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2024-21464 is a memory corruption vulnerability (CWE-120) that occurs while processing IPA statistics when there are no active clients registered. It affects Qualcomm software components, as detailed in the vendor's security bulletin. The vulnerability has a CVSS v3.1 base score of 8.4 (AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact.

A local attacker with no privileges can exploit this vulnerability through low-complexity means without requiring user interaction. Successful exploitation enables high-impact outcomes, including unauthorized access to confidential data, modification of system integrity, and disruption of availability, potentially leading to arbitrary code execution or system compromise.

Qualcomm's January 2025 security bulletin provides details on affected products and recommends applying the available patches or updates to mitigate the issue, accessible at https://docs.qualcomm.com/product/publicresources/securitybulletin/january-2025-bulletin.html.

EU & UK References

Vulnerability details

Memory corruption while processing IPA statistics, when there are no active clients registered.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Local memory corruption (CWE-120) with no privileges required directly enables T1068 Exploitation for Privilege Escalation leading to arbitrary code execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-47394Same product: Qualcomm Fastconnect 6700
CVE-2025-47388Same product: Qualcomm Fastconnect 6700
CVE-2024-45547Same product: Qualcomm Fastconnect 6900
CVE-2024-45541Same product: Qualcomm Fastconnect 6700
CVE-2024-43055Same product: Qualcomm Fastconnect 6900
CVE-2026-21382Same product: Qualcomm Fastconnect 6900
CVE-2025-47399Same product: Qualcomm Fastconnect 7800
CVE-2025-47389Same product: Qualcomm Fastconnect 6700
CVE-2026-25277Same product: Qualcomm Fastconnect 6700
CVE-2024-38413Same product: Qualcomm Fastconnect 7800

Affected Assets

qualcomm
fastconnect 6700 firmware
all versions
qualcomm
fastconnect 6900 firmware
all versions
qualcomm
fastconnect 7800 firmware
all versions
qualcomm
qcm4490 firmware
all versions
qualcomm
qcs4490 firmware
all versions
qualcomm
snapdragon 8 gen 3 mobile firmware
all versions
qualcomm
snapdragon 8\+ gen 1 mobile firmware
all versions
qualcomm
talynplus firmware
all versions
qualcomm
wcd9370 firmware
all versions
qualcomm
wcd9390 firmware
all versions
+11 more product configuration(s) — see NVD for full list

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the memory corruption vulnerability by requiring timely application of vendor-provided patches as specified in Qualcomm's security bulletin.

prevent

Implements memory protection mechanisms such as ASLR, DEP, and stack canaries to prevent exploitation of memory corruption like CWE-120 even if unpatched.

prevent

Requires validation of inputs to IPA statistics processing to avoid buffer overflows or corruption when no active clients are registered.

References