CVE-2024-38420
Published: 03 February 2025
Summary
CVE-2024-38420 is a high-severity Improper Input Validation (CWE-20) vulnerability in Qualcomm Aqt1000 Firmware. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 29.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Deeper analysis
CVE-2024-38420 is a memory corruption vulnerability that occurs while configuring a hypervisor-based input virtual device. It is associated with CWE-20 (Improper Input Validation) and CWE-787 (Out-of-bounds Write), carrying a CVSS v3.1 base score of 8.8 (AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H). The vulnerability affects Qualcomm products, as documented in their public security resources.
A local attacker with low privileges can exploit this vulnerability with low complexity and no user interaction required. Successful exploitation grants high impacts on confidentiality, integrity, and availability, with a changed scope that elevates privileges, potentially enabling full system compromise such as arbitrary code execution in a privileged context.
Qualcomm's February 2025 security bulletin provides details on the vulnerability, including affected products and recommended mitigations: https://docs.qualcomm.com/product/publicresources/securitybulletin/february-2025-bulletin.html. Security practitioners should consult this advisory for patching instructions and apply updates promptly to vulnerable devices.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-37114
Vulnerability details
Memory corruption while configuring a Hypervisor based input virtual device.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local memory corruption (CWE-787) in hypervisor input device config directly enables privilege escalation via exploitation, matching T1068 with arbitrary code execution in elevated context.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly addresses CWE-20 Improper Input Validation by requiring validation of inputs during hypervisor-based input virtual device configuration to prevent memory corruption.
Provides memory protection mechanisms that mitigate out-of-bounds writes (CWE-787) and memory corruption in hypervisor contexts.
Ensures timely flaw remediation through patching as recommended in Qualcomm's bulletin for this specific vulnerability.