Cyber Posture

CVE-2024-38420

High

Published: 03 February 2025

Published
03 February 2025
Modified
05 February 2025
KEV Added
Patch
CVSS Score 8.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0011 29.3th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-38420 is a high-severity Improper Input Validation (CWE-20) vulnerability in Qualcomm Aqt1000 Firmware. Its CVSS base score is 8.8 (High).

Operationally, ranked at the 29.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly addresses CWE-20 Improper Input Validation by requiring validation of inputs during hypervisor-based input virtual device configuration to prevent memory corruption.

SI-16 Memory Protection good match
prevent

Provides memory protection mechanisms that mitigate out-of-bounds writes (CWE-787) and memory corruption in hypervisor contexts.

SI-2 Flaw Remediation good match
prevent

Ensures timely flaw remediation through patching as recommended in Qualcomm's bulletin for this specific vulnerability.

NVD Description

Memory corruption while configuring a Hypervisor based input virtual device.

Deeper analysisAI

CVE-2024-38420 is a memory corruption vulnerability that occurs while configuring a hypervisor-based input virtual device. It is associated with CWE-20 (Improper Input Validation) and CWE-787 (Out-of-bounds Write), carrying a CVSS v3.1 base score of 8.8 (AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H). The vulnerability affects Qualcomm products, as documented in their public security resources.

A local attacker with low privileges can exploit this vulnerability with low complexity and no user interaction required. Successful exploitation grants high impacts on confidentiality, integrity, and availability, with a changed scope that elevates privileges, potentially enabling full system compromise such as arbitrary code execution in a privileged context.

Qualcomm's February 2025 security bulletin provides details on the vulnerability, including affected products and recommended mitigations: https://docs.qualcomm.com/product/publicresources/securitybulletin/february-2025-bulletin.html. Security practitioners should consult this advisory for patching instructions and apply updates promptly to vulnerable devices.

Details

CWE(s)
CWE-20CWE-787

Affected Products

qualcomm
aqt1000 firmware
all versions
qualcomm
ar8035 firmware
all versions
qualcomm
fastconnect 6200 firmware
all versions
qualcomm
fastconnect 6700 firmware
all versions
qualcomm
fastconnect 6800 firmware
all versions
qualcomm
fastconnect 6900 firmware
all versions
qualcomm
fastconnect 7800 firmware
all versions
qualcomm
qam8255p firmware
all versions
qualcomm
qam8295p firmware
all versions
qualcomm
qam8620p firmware
all versions
+150 more product configuration(s) — see NVD for full list

CVEs Like This One

CVE-2024-53030Same product: Qualcomm Qam8255P
CVE-2024-53012Same product: Qualcomm Qam8255P
CVE-2024-53031Same product: Qualcomm Qam8255P
CVE-2024-53029Same product: Qualcomm Qam8255P
CVE-2024-53022Same product: Qualcomm Qam8255P
CVE-2025-47346Same product: Qualcomm Ar8035
CVE-2024-38413Same product: Qualcomm Fastconnect 7800
CVE-2025-47373Same product: Qualcomm Ar8035
CVE-2024-49838Same product: Qualcomm Ar8035
CVE-2024-45553Same product: Qualcomm Ar8035

References