Cyber Posture

CVE-2024-21464

High

Published: 06 January 2025

Published
06 January 2025
Modified
10 January 2025
KEV Added
Patch
CVSS Score 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0011 29.3th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-21464 is a high-severity Classic Buffer Overflow (CWE-120) vulnerability in Qualcomm Fastconnect 6700 Firmware. Its CVSS base score is 8.4 (High).

Operationally, ranked at the 29.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly mitigates the memory corruption vulnerability by requiring timely application of vendor-provided patches as specified in Qualcomm's security bulletin.

SI-16 Memory Protection good match
prevent

Implements memory protection mechanisms such as ASLR, DEP, and stack canaries to prevent exploitation of memory corruption like CWE-120 even if unpatched.

SI-10 Information Input Validation partial match
prevent

Requires validation of inputs to IPA statistics processing to avoid buffer overflows or corruption when no active clients are registered.

NVD Description

Memory corruption while processing IPA statistics, when there are no active clients registered.

Deeper analysisAI

CVE-2024-21464 is a memory corruption vulnerability (CWE-120) that occurs while processing IPA statistics when there are no active clients registered. It affects Qualcomm software components, as detailed in the vendor's security bulletin. The vulnerability has a CVSS v3.1 base score of 8.4 (AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact.

A local attacker with no privileges can exploit this vulnerability through low-complexity means without requiring user interaction. Successful exploitation enables high-impact outcomes, including unauthorized access to confidential data, modification of system integrity, and disruption of availability, potentially leading to arbitrary code execution or system compromise.

Qualcomm's January 2025 security bulletin provides details on affected products and recommends applying the available patches or updates to mitigate the issue, accessible at https://docs.qualcomm.com/product/publicresources/securitybulletin/january-2025-bulletin.html.

Details

CWE(s)
CWE-120

Affected Products

qualcomm
fastconnect 6700 firmware
all versions
qualcomm
fastconnect 6900 firmware
all versions
qualcomm
fastconnect 7800 firmware
all versions
qualcomm
qcm4490 firmware
all versions
qualcomm
qcs4490 firmware
all versions
qualcomm
snapdragon 8 gen 3 mobile firmware
all versions
qualcomm
snapdragon 8\+ gen 1 mobile firmware
all versions
qualcomm
talynplus firmware
all versions
qualcomm
wcd9370 firmware
all versions
qualcomm
wcd9390 firmware
all versions
+11 more product configuration(s) — see NVD for full list

CVEs Like This One

CVE-2025-47394Same product: Qualcomm Fastconnect 6700
CVE-2025-47388Same product: Qualcomm Fastconnect 6700
CVE-2024-45547Same product: Qualcomm Fastconnect 6900
CVE-2024-45541Same product: Qualcomm Fastconnect 6700
CVE-2024-43055Same product: Qualcomm Fastconnect 6900
CVE-2026-21382Same product: Qualcomm Fastconnect 6900
CVE-2025-47399Same product: Qualcomm Fastconnect 7800
CVE-2024-53027Same product: Qualcomm Fastconnect 6700
CVE-2025-47389Same product: Qualcomm Fastconnect 6700
CVE-2024-38413Same product: Qualcomm Fastconnect 7800

References