CVE-2024-43064

High

Published: 06 January 2025

Published

06 January 2025

Modified

13 January 2025

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

EPSS Score 0.0006 18.2th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-43064 is a high-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability in Qualcomm Qam8255P Firmware. Its CVSS base score is 7.5 (High).

Operationally, ranked at the 18.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly remediates the specific SMMU register access flaw through timely application of Qualcomm patches detailed in the January 2025 security bulletin.

SC-5 Denial-of-service Protection good match

preventdetect

Implements denial-of-service protections including resource throttling and limiting to counter uncontrolled resource consumption from SMMU access attempts.

SC-6 Resource Availability good match

prevent

Protects system resource availability against exhaustion caused by drivers, applications, or SMMU clients improperly accessing global registers.

NVD Description

Uncontrolled resource consumption when a driver, an application or a SMMU client tries to access the global registers through SMMU.

Deeper analysisAI

CVE-2024-43064 is a vulnerability that causes uncontrolled resource consumption when a driver, an application, or an SMMU client attempts to access global registers through the SMMU. Published on 2025-01-06, it is associated with CWE-264 (Permissions, Privileges, and Access Control) and CWE-770 (Allocation of Resources Without Limits or Throttling). The issue affects components in Qualcomm products, as referenced in their security documentation.

Exploitation requires local access (AV:L), high attack complexity (AC:H), and high privileges (PR:H), with no user interaction (UI:N). A successful attack changes scope (S:C) and achieves high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), resulting in a CVSS v3.1 base score of 7.5.

Qualcomm's January 2025 security bulletin (https://docs.qualcomm.com/product/publicresources/securitybulletin/january-2025-bulletin.html) details the vulnerability and associated mitigations or patches.

Details

CWE(s): CWE-264 CWE-770

Affected Products

qualcomm

qam8255p firmware

all versions

qualcomm

qam8295p firmware

all versions

qualcomm

qam8620p firmware

all versions

qualcomm

qam8650p firmware

all versions

qualcomm

qam8775p firmware

all versions

qualcomm

qamsrv1h firmware

all versions

qualcomm

qamsrv1m firmware

all versions

qualcomm

qca6574au firmware

all versions

qualcomm

qca6595 firmware

all versions

qualcomm

qca6595au firmware

all versions

+20 more product configuration(s) — see NVD for full list

CVEs Like This One

CVE-2024-53032Same product: Qualcomm Qam8255P

CVE-2024-53012Same product: Qualcomm Qam8255P

CVE-2024-53031Same product: Qualcomm Qam8255P

CVE-2024-49837Same product: Qualcomm Qam8255P

CVE-2024-53029Same product: Qualcomm Qam8255P

CVE-2024-53022Same product: Qualcomm Qam8255P

CVE-2025-47364Same product: Qualcomm Qam8255P

CVE-2025-47363Same product: Qualcomm Qam8255P

CVE-2024-53028Same product: Qualcomm Qam8255P

CVE-2024-45555Same product: Qualcomm Qam8255P

References

https://docs.qualcomm.com/product/publicresources/securitybulletin/january-2025-bulletin.html
Vendor Advisory · product-security@qualcomm.com