Cyber Resilience

CVE-2024-38413

Medium

Published: 03 February 2025

Published
03 February 2025
Modified
05 February 2025
KEV Added
Patch
CVSS Score v3.1 6.6 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L
EPSS Score 0.0010 27.7th percentile
Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-38413 is a medium-severity Improper Input Validation (CWE-20) vulnerability in Qualcomm Fastconnect 7800 Firmware. Its CVSS base score is 6.6 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 27.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Deeper analysis

CVE-2024-38413 is a memory corruption vulnerability that occurs while processing frame packets in Qualcomm components. It is linked to CWE-20 (Improper Input Validation) and CWE-787 (Out-of-bounds Write), with a CVSS v3.1 base score of 6.6 (AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L). The vulnerability was published on 2025-02-03.

An attacker with local access and low privileges (PR:L) can exploit this issue with low attack complexity and no user interaction required. Exploitation allows limited impact on confidentiality (C:L), high impact on integrity (I:H), and limited impact on availability (A:L), within the unchanged security scope.

Qualcomm's February 2025 security bulletin, available at https://docs.qualcomm.com/product/publicresources/securitybulletin/february-2025-bulletin.html, details affected products and mitigation guidance, including patches where applicable.

EU & UK References

Vulnerability details

Memory corruption while processing frame packets.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Local memory corruption (out-of-bounds write) with high integrity impact enables exploitation for privilege escalation from low-privileged context.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-38412Same product: Qualcomm Fastconnect 7800
CVE-2024-38420Same product: Qualcomm Fastconnect 7800
CVE-2024-53012Same vendor: Qualcomm
CVE-2024-53030Same vendor: Qualcomm
CVE-2024-53022Same vendor: Qualcomm
CVE-2024-53031Same vendor: Qualcomm
CVE-2024-33059Same product: Qualcomm Fastconnect 7800
CVE-2024-38411Same product: Qualcomm Fastconnect 7800
CVE-2025-59603Same product: Qualcomm Fastconnect 7800
CVE-2024-33041Same product: Qualcomm Fastconnect 7800

Affected Assets

qualcomm
fastconnect 7800 firmware
all versions
qualcomm
snapdragon 8 gen 3 mobile firmware
all versions
qualcomm
wcd9390 firmware
all versions
qualcomm
wcd9395 firmware
all versions
qualcomm
wsa8840 firmware
all versions
qualcomm
wsa8845 firmware
all versions
qualcomm
wsa8845h firmware
all versions

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-16 Memory Protection directly mitigates memory corruption from out-of-bounds writes (CWE-787) by enforcing address space layout randomization, data execution prevention, and bounds checking in Qualcomm components.

prevent

SI-10 Information Input Validation addresses the root cause of improper input validation (CWE-20) when processing frame packets, preventing exploitation leading to memory corruption.

prevent

SI-2 Flaw Remediation ensures timely patching of the specific Qualcomm vulnerability as detailed in their February 2025 security bulletin.

References