Cyber Posture

CVE-2024-38413

Medium

Published: 03 February 2025

Published
03 February 2025
Modified
05 February 2025
KEV Added
Patch
CVSS Score 6.6 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L
EPSS Score 0.0010 27.7th percentile
Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-38413 is a medium-severity Improper Input Validation (CWE-20) vulnerability in Qualcomm Fastconnect 7800 Firmware. Its CVSS base score is 6.6 (Medium).

Operationally, ranked at the 27.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-16 Memory Protection good match
prevent

SI-16 Memory Protection directly mitigates memory corruption from out-of-bounds writes (CWE-787) by enforcing address space layout randomization, data execution prevention, and bounds checking in Qualcomm components.

SI-10 Information Input Validation good match
prevent

SI-10 Information Input Validation addresses the root cause of improper input validation (CWE-20) when processing frame packets, preventing exploitation leading to memory corruption.

SI-2 Flaw Remediation good match
prevent

SI-2 Flaw Remediation ensures timely patching of the specific Qualcomm vulnerability as detailed in their February 2025 security bulletin.

NVD Description

Memory corruption while processing frame packets.

Deeper analysisAI

CVE-2024-38413 is a memory corruption vulnerability that occurs while processing frame packets in Qualcomm components. It is linked to CWE-20 (Improper Input Validation) and CWE-787 (Out-of-bounds Write), with a CVSS v3.1 base score of 6.6 (AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L). The vulnerability was published on 2025-02-03.

An attacker with local access and low privileges (PR:L) can exploit this issue with low attack complexity and no user interaction required. Exploitation allows limited impact on confidentiality (C:L), high impact on integrity (I:H), and limited impact on availability (A:L), within the unchanged security scope.

Qualcomm's February 2025 security bulletin, available at https://docs.qualcomm.com/product/publicresources/securitybulletin/february-2025-bulletin.html, details affected products and mitigation guidance, including patches where applicable.

Details

CWE(s)
CWE-20CWE-787

Affected Products

qualcomm
fastconnect 7800 firmware
all versions
qualcomm
snapdragon 8 gen 3 mobile firmware
all versions
qualcomm
wcd9390 firmware
all versions
qualcomm
wcd9395 firmware
all versions
qualcomm
wsa8840 firmware
all versions
qualcomm
wsa8845 firmware
all versions
qualcomm
wsa8845h firmware
all versions

CVEs Like This One

CVE-2024-38412Same product: Qualcomm Fastconnect 7800
CVE-2024-38420Same product: Qualcomm Fastconnect 7800
CVE-2024-53012Same vendor: Qualcomm
CVE-2024-53022Same vendor: Qualcomm
CVE-2024-53030Same vendor: Qualcomm
CVE-2024-53031Same vendor: Qualcomm
CVE-2024-53029Same vendor: Qualcomm
CVE-2024-33059Same product: Qualcomm Fastconnect 7800
CVE-2024-38411Same product: Qualcomm Fastconnect 7800
CVE-2025-59603Same product: Qualcomm Fastconnect 7800

References