CVE-2024-33059
Published: 06 January 2025
Summary
CVE-2024-33059 is a medium-severity Use After Free (CWE-416) vulnerability in Qualcomm Fastconnect 6900 Firmware. Its CVSS base score is 6.7 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 25.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2024-33059 is a memory corruption vulnerability classified under CWE-416 (Use After Free) that occurs while processing frame command IOCTL calls in Qualcomm components. Published on January 6, 2025, it carries a CVSS v3.1 base score of 6.7, reflecting a local attack vector with low attack complexity.
A local attacker with high privileges (PR:H) can exploit this vulnerability without user interaction through low-complexity means. Successful exploitation enables high-impact consequences, including unauthorized access to confidential data (C:H), modification of system integrity (I:H), and denial of service or system disruption (A:H), potentially via arbitrary code execution resulting from the memory corruption.
Qualcomm's January 2025 security bulletin, available at https://docs.qualcomm.com/product/publicresources/securitybulletin/january-2025-bulletin.html, details affected products and recommends applying vendor-provided patches for mitigation.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-30804
Vulnerability details
Memory corruption while processing frame command IOCTL calls.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local use-after-free memory corruption in Qualcomm driver IOCTL handling enables kernel-level arbitrary code execution, directly facilitating privilege escalation from an already-elevated local context.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Provides memory protections such as address space layout randomization and page permissions that directly mitigate use-after-free vulnerabilities during IOCTL processing.
Mandates timely remediation of identified flaws like this memory corruption vulnerability through vendor patches recommended in Qualcomm's bulletin.
Enforces validation of IOCTL inputs such as frame commands to prevent malformed data from triggering the use-after-free memory corruption.