Cyber Posture

CVE-2024-43060

High

Published: 03 March 2025

Published
03 March 2025
Modified
06 March 2025
KEV Added
Patch
CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0011 29.7th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-43060 is a high-severity Use of Out-of-range Pointer Offset (CWE-823) vulnerability in Qualcomm Ar8035 Firmware. Its CVSS base score is 7.8 (High).

Operationally, ranked at the 29.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly remediates the memory corruption flaw in sound model parameter loading from HLOS to ADSP by requiring timely application of Qualcomm's March 2025 patches.

SI-16 Memory Protection good match
prevent

Implements memory protections like address space randomization and data execution prevention to block exploitation of the out-of-bounds read and buffer overflow in ADSP.

SI-10 Information Input Validation good match
prevent

Requires validation of sound model parameters during transfer from HLOS to ADSP to prevent buffer overflows and out-of-bounds reads.

NVD Description

Memory corruption during voice activation, when sound model parameters are loaded from HLOS to ADSP.

Deeper analysisAI

CVE-2024-43060 is a memory corruption vulnerability that occurs during voice activation when sound model parameters are loaded from the High-Level Operating System (HLOS) to the Audio Digital Signal Processor (ADSP) in Qualcomm components. It is associated with CWE-823 (Use of Out-of-bounds Read) and CWE-119 (Buffer Overflow), carrying a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). The issue was published on March 3, 2025.

A local attacker with low privileges can exploit this vulnerability with low attack complexity and no user interaction required. Successful exploitation could result in high-impact confidentiality, integrity, and availability violations, potentially allowing arbitrary code execution or system compromise within the affected ADSP context.

Qualcomm has addressed this issue in its March 2025 security bulletin, available at https://docs.qualcomm.com/product/publicresources/securitybulletin/march-2025-bulletin.html, which provides details on patches and affected products for mitigation. Security practitioners should apply the recommended updates promptly to vulnerable Qualcomm platforms.

Details

CWE(s)
CWE-823CWE-119

Affected Products

qualcomm
ar8035 firmware
all versions
qualcomm
fastconnect 6900 firmware
all versions
qualcomm
fastconnect 7800 firmware
all versions
qualcomm
qam8295p firmware
all versions
qualcomm
qca6574au firmware
all versions
qualcomm
qca6696 firmware
all versions
qualcomm
qca8081 firmware
all versions
qualcomm
qca8337 firmware
all versions
qualcomm
qca9367 firmware
all versions
qualcomm
qca9377 firmware
all versions
+31 more product configuration(s) — see NVD for full list

CVEs Like This One

CVE-2024-43061Same product: Qualcomm Fastconnect 6900
CVE-2024-45573Same product: Qualcomm Fastconnect 6900
CVE-2024-49840Same product: Qualcomm Fastconnect 6900
CVE-2024-33041Same product: Qualcomm Fastconnect 6900
CVE-2024-33055Same product: Qualcomm Fastconnect 6900
CVE-2024-45584Same product: Qualcomm Ar8035
CVE-2024-38418Same product: Qualcomm Fastconnect 6900
CVE-2024-43055Same product: Qualcomm Fastconnect 6900
CVE-2024-43062Same product: Qualcomm Fastconnect 6900
CVE-2024-43059Same product: Qualcomm Fastconnect 6900

References