CVE-2024-33055
Published: 06 January 2025
Summary
CVE-2024-33055 is a medium-severity Use After Free (CWE-416) vulnerability in Qualcomm Fastconnect 6900 Firmware. Its CVSS base score is 6.7 (Medium).
Operationally, ranked at the 20.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses the vulnerability by requiring identification, reporting, and timely patching of the specific use-after-free flaw in IOCTL handling for DMA buffers as per Qualcomm's security bulletin.
Implements memory protection mechanisms that comprehensively mitigate use-after-free memory corruption during DMA buffer unmapping operations.
Validates IOCTL inputs to prevent malformed or unauthorized requests that trigger the memory corruption in DMA buffer unmapping.
NVD Description
Memory corruption while invoking IOCTL calls to unmap the DMA buffers.
Deeper analysisAI
CVE-2024-33055 is a memory corruption vulnerability classified under CWE-416 (use-after-free), triggered while invoking IOCTL calls to unmap DMA buffers. It affects components within Qualcomm products, as detailed in the vendor's January 2025 security bulletin.
The vulnerability carries a CVSS v3.1 base score of 6.7 (AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H). Exploitation requires local access with high privileges, low attack complexity, and no user interaction, enabling an attacker to achieve high impacts on confidentiality, integrity, and availability through memory corruption.
Qualcomm's security bulletin at https://docs.qualcomm.com/product/publicresources/securitybulletin/january-2025-bulletin.html provides details on affected products, exploitation status, and recommended mitigations or patches.
Details
- CWE(s)