CVE-2024-43062

High

Published: 03 March 2025

Published

03 March 2025

Modified

06 March 2025

KEV Added

—

Patch

—

CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0011 29.7th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-43062 is a high-severity Use After Free (CWE-416) vulnerability in Qualcomm Fastconnect 6900 Firmware. Its CVSS base score is 7.8 (High).

Operationally, ranked at the 29.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

preventrecover

Requires timely remediation of the memory corruption vulnerability in DMA fence handling through application of Qualcomm's provided patches.

SI-16 Memory Protection good match

prevent

Implements memory protection mechanisms that directly prevent exploitation of the use-after-free condition caused by missing locks and improper synchronization on DMA fences.

SI-7 Software, Firmware, and Information Integrity partial match

detect

Monitors software and firmware integrity to detect violations from memory corruption in DMA fence synchronization.

NVD Description

Memory corruption caused by missing locks and checks on the DMA fence and improper synchronization.

Deeper analysisAI

CVE-2024-43062 is a memory corruption vulnerability stemming from missing locks and checks on the DMA fence combined with improper synchronization, mapped to CWE-416 (Use After Free). It affects components within Qualcomm products, as detailed in the vendor's security bulletin. The issue carries a CVSS v3.1 base score of 7.8 (High), reflecting local attack vector (AV:L), low attack complexity (AC:L), low privileges required (PR:L), no user interaction (UI:N), unchanged scope (S:U), and high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H).

A local attacker with low privileges can exploit this vulnerability due to its low complexity and lack of required user interaction. Successful exploitation enables high-impact outcomes, including arbitrary code execution, data tampering, or system denial of service through memory corruption in the affected DMA fence handling.

Qualcomm's March 2025 security bulletin provides details on the vulnerability, including affected products and recommended patches or mitigations for remediation.

Details

CWE(s): CWE-416

Affected Products

qualcomm

fastconnect 6900 firmware

all versions

qualcomm

fastconnect 7800 firmware

all versions

qualcomm

sdm429w firmware

all versions

qualcomm

snapdragon 429 firmware

all versions

qualcomm

snapdragon 8 gen 1 firmware

all versions

qualcomm

sxr2230p firmware

all versions

qualcomm

sxr2250p firmware

all versions

qualcomm

wcd9380 firmware

all versions

qualcomm

wcd9385 firmware

all versions

qualcomm

wcn3620 firmware

all versions

+4 more product configuration(s) — see NVD for full list

CVEs Like This One

CVE-2024-43059Same product: Qualcomm Fastconnect 6900

CVE-2024-43055Same product: Qualcomm Fastconnect 6900

CVE-2024-43061Same product: Qualcomm Fastconnect 6900

CVE-2024-45580Same product: Qualcomm Fastconnect 6900

CVE-2026-21380Same product: Qualcomm Fastconnect 6900

CVE-2025-47358Same product: Qualcomm Fastconnect 6900

CVE-2024-33055Same product: Qualcomm Fastconnect 6900

CVE-2024-33059Same product: Qualcomm Fastconnect 6900

CVE-2024-38411Same product: Qualcomm Fastconnect 6900

CVE-2025-47359Same product: Qualcomm Fastconnect 6900

References

https://docs.qualcomm.com/product/publicresources/securitybulletin/march-2025-bulletin.html
Patch, Vendor Advisory · product-security@qualcomm.com