Cyber Resilience

CVE-2024-33041

Medium

Published: 06 January 2025

Published
06 January 2025
Modified
11 August 2025
KEV Added
Patch
CVSS Score v3.1 6.7 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0006 20.5th percentile
Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-33041 is a medium-severity Use of Out-of-range Pointer Offset (CWE-823) vulnerability in Qualcomm Fastconnect 6900 Firmware. Its CVSS base score is 6.7 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 20.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Deeper analysis

CVE-2024-33041 is a memory corruption vulnerability arising from missing input parameter validation for the number of fences in fence frame IOCTL calls. It affects Qualcomm components and is linked to CWE-823 (Access of Uninitialized Pointer) and CWE-787 (Out-of-bounds Write). The vulnerability received a CVSS v3.1 base score of 6.7 (AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H) and was published on 2025-01-06.

The attack requires local access with high privileges, low complexity, and no user interaction. An attacker meeting these conditions can achieve high impacts on confidentiality, integrity, and availability, potentially leading to arbitrary code execution or system compromise through memory corruption.

The Qualcomm January 2025 Security Bulletin provides details on affected products and mitigation, available at https://docs.qualcomm.com/product/publicresources/securitybulletin/january-2025-bulletin.html.

EU & UK References

Vulnerability details

Memory corruption when input parameter validation for number of fences is missing for fence frame IOCTL calls,

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Local memory corruption in Qualcomm IOCTL handling enables privilege escalation via out-of-bounds write and uninitialized pointer access, directly mapping to exploitation for local privilege escalation.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-33055Same product: Qualcomm Fastconnect 6900
CVE-2024-38411Same product: Qualcomm Fastconnect 6900
CVE-2024-43060Same product: Qualcomm Fastconnect 6900
CVE-2024-33059Same product: Qualcomm Fastconnect 6900
CVE-2025-47346Same product: Qualcomm Fastconnect 6900
CVE-2025-59603Same product: Qualcomm Fastconnect 6900
CVE-2024-43061Same product: Qualcomm Fastconnect 6900
CVE-2024-45573Same product: Qualcomm Fastconnect 6900
CVE-2025-47373Same product: Qualcomm Fastconnect 6900
CVE-2024-45582Same product: Qualcomm Fastconnect 6900

Affected Assets

qualcomm
fastconnect 6900 firmware
all versions
qualcomm
fastconnect 7800 firmware
all versions
qualcomm
qam8295p firmware
all versions
qualcomm
qca6574au firmware
all versions
qualcomm
qca6696 firmware
all versions
qualcomm
qcm8550 firmware
all versions
qualcomm
qcs6490 firmware
all versions
qualcomm
qcs8550 firmware
all versions
qualcomm
video collaboration vc3 platform firmware
all versions
qualcomm
sa6145p firmware
all versions
+25 more product configuration(s) — see NVD for full list

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mandates validation of input parameters such as the number of fences in fence frame IOCTL calls to prevent memory corruption from invalid inputs.

prevent

Implements safeguards against memory corruption exploits like out-of-bounds writes and uninitialized pointer access triggered by unvalidated IOCTL parameters.

prevent

Requires timely identification, reporting, and patching of the specific flaw in Qualcomm fence frame IOCTL handling to remediate the vulnerability.

References