Cyber Resilience

CVE-2024-38418

High

Published: 03 February 2025

Published
03 February 2025
Modified
05 February 2025
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0010 27.1th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-38418 is a high-severity Time-of-check Time-of-use (TOCTOU) Race Condition (CWE-367) vulnerability in Qualcomm C-V2X 9150 Firmware. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 27.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Deeper analysis

CVE-2024-38418 is a memory corruption vulnerability that occurs while parsing memory map information in IOCTL calls. It is associated with CWE-367 (Time-of-check Time-of-use (TOCTOU) Race Condition) and affects Qualcomm products, as documented in their security bulletin. The vulnerability received a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact.

A local attacker with low privileges can exploit this vulnerability through low-complexity attacks requiring no user interaction. Exploitation could grant high-level impacts on confidentiality, integrity, and availability, potentially allowing arbitrary code execution, data tampering, or system denial of service within the affected component.

Qualcomm's February 2025 security bulletin, available at https://docs.qualcomm.com/product/publicresources/securitybulletin/february-2025-bulletin.html, provides details on affected products and mitigation measures, including patches where applicable. The bulletin was referenced in the CVE publication on 2025-02-03.

EU & UK References

Vulnerability details

Memory corruption while parsing the memory map info in IOCTL calls.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Local memory corruption in kernel IOCTL (TOCTOU) enables arbitrary code execution from low privileges, directly mapping to exploitation for privilege escalation on affected Qualcomm systems.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-45560Same product: Qualcomm Fastconnect 6800
CVE-2026-25260Same product: Qualcomm Fastconnect 6900
CVE-2024-53028Same product: Qualcomm Qam8295P
CVE-2025-47407Same product: Qualcomm Fastconnect 6900
CVE-2024-53032Same product: Qualcomm Qam8295P
CVE-2024-43061Same product: Qualcomm Fastconnect 6900
CVE-2024-43060Same product: Qualcomm Fastconnect 6900
CVE-2024-43057Same product: Qualcomm C-V2X 9150
CVE-2024-33055Same product: Qualcomm Fastconnect 6900
CVE-2024-33041Same product: Qualcomm Fastconnect 6900

Affected Assets

qualcomm
c-v2x 9150 firmware
all versions
qualcomm
csrb31024 firmware
all versions
qualcomm
fastconnect 6800 firmware
all versions
qualcomm
fastconnect 6900 firmware
all versions
qualcomm
fastconnect 7800 firmware
all versions
qualcomm
qam8295p firmware
all versions
qualcomm
qca6391 firmware
all versions
qualcomm
qca6426 firmware
all versions
qualcomm
qca6436 firmware
all versions
qualcomm
qca6564au firmware
all versions
+52 more product configuration(s) — see NVD for full list

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-16 implements memory protection mechanisms like address space randomization, non-executable stacks, and bounds checking to directly prevent exploitation of memory corruption during IOCTL memory map parsing.

prevent

SI-10 requires rigorous validation of inputs such as memory map information in IOCTL calls to block malformed data that triggers memory corruption.

prevent

SI-2 ensures timely identification, prioritization, and application of patches from Qualcomm's security bulletin to remediate the specific memory corruption flaw.

References