CVE-2024-43064
Published: 06 January 2025
Summary
CVE-2024-43064 is a high-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability in Qualcomm Qam8255P Firmware. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 18.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).
Deeper analysis
CVE-2024-43064 is a vulnerability that causes uncontrolled resource consumption when a driver, an application, or an SMMU client attempts to access global registers through the SMMU. Published on 2025-01-06, it is associated with CWE-264 (Permissions, Privileges, and Access Control) and CWE-770 (Allocation of Resources Without Limits or Throttling). The issue affects components in Qualcomm products, as referenced in their security documentation.
Exploitation requires local access (AV:L), high attack complexity (AC:H), and high privileges (PR:H), with no user interaction (UI:N). A successful attack changes scope (S:C) and achieves high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), resulting in a CVSS v3.1 base score of 7.5.
Qualcomm's January 2025 security bulletin (https://docs.qualcomm.com/product/publicresources/securitybulletin/january-2025-bulletin.html) details the vulnerability and associated mitigations or patches.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-40708
Vulnerability details
Uncontrolled resource consumption when a driver, an application or a SMMU client tries to access the global registers through SMMU.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SMMU global register access flaw with scope change and high CIA impact enables local priv esc (T1068) and system/application DoS via resource exhaustion (T1499.004).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly remediates the specific SMMU register access flaw through timely application of Qualcomm patches detailed in the January 2025 security bulletin.
Implements denial-of-service protections including resource throttling and limiting to counter uncontrolled resource consumption from SMMU access attempts.
Protects system resource availability against exhaustion caused by drivers, applications, or SMMU clients improperly accessing global registers.