Cyber Posture

CVE-2024-38418

High

Published: 03 February 2025

Published
03 February 2025
Modified
05 February 2025
KEV Added
Patch
CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0010 27.1th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-38418 is a high-severity Time-of-check Time-of-use (TOCTOU) Race Condition (CWE-367) vulnerability in Qualcomm C-V2X 9150 Firmware. Its CVSS base score is 7.8 (High).

Operationally, ranked at the 27.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-16 Memory Protection good match
prevent

SI-16 implements memory protection mechanisms like address space randomization, non-executable stacks, and bounds checking to directly prevent exploitation of memory corruption during IOCTL memory map parsing.

SI-10 Information Input Validation good match
prevent

SI-10 requires rigorous validation of inputs such as memory map information in IOCTL calls to block malformed data that triggers memory corruption.

SI-2 Flaw Remediation good match
prevent

SI-2 ensures timely identification, prioritization, and application of patches from Qualcomm's security bulletin to remediate the specific memory corruption flaw.

NVD Description

Memory corruption while parsing the memory map info in IOCTL calls.

Deeper analysisAI

CVE-2024-38418 is a memory corruption vulnerability that occurs while parsing memory map information in IOCTL calls. It is associated with CWE-367 (Time-of-check Time-of-use (TOCTOU) Race Condition) and affects Qualcomm products, as documented in their security bulletin. The vulnerability received a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact.

A local attacker with low privileges can exploit this vulnerability through low-complexity attacks requiring no user interaction. Exploitation could grant high-level impacts on confidentiality, integrity, and availability, potentially allowing arbitrary code execution, data tampering, or system denial of service within the affected component.

Qualcomm's February 2025 security bulletin, available at https://docs.qualcomm.com/product/publicresources/securitybulletin/february-2025-bulletin.html, provides details on affected products and mitigation measures, including patches where applicable. The bulletin was referenced in the CVE publication on 2025-02-03.

Details

CWE(s)
CWE-367

Affected Products

qualcomm
c-v2x 9150 firmware
all versions
qualcomm
csrb31024 firmware
all versions
qualcomm
fastconnect 6800 firmware
all versions
qualcomm
fastconnect 6900 firmware
all versions
qualcomm
fastconnect 7800 firmware
all versions
qualcomm
qam8295p firmware
all versions
qualcomm
qca6391 firmware
all versions
qualcomm
qca6426 firmware
all versions
qualcomm
qca6436 firmware
all versions
qualcomm
qca6564au firmware
all versions
+52 more product configuration(s) — see NVD for full list

CVEs Like This One

CVE-2024-45560Same product: Qualcomm Fastconnect 6800
CVE-2024-53028Same product: Qualcomm Qam8295P
CVE-2025-47407Same product: Qualcomm Fastconnect 6900
CVE-2024-53032Same product: Qualcomm Qam8295P
CVE-2024-43061Same product: Qualcomm Fastconnect 6900
CVE-2024-43060Same product: Qualcomm Fastconnect 6900
CVE-2025-21427Same product: Qualcomm Fastconnect 6800
CVE-2024-43057Same product: Qualcomm C-V2X 9150
CVE-2024-33055Same product: Qualcomm Fastconnect 6900
CVE-2024-33041Same product: Qualcomm Fastconnect 6900

References