Cyber Resilience

CVE-2024-43064

High

Published: 06 January 2025

Published
06 January 2025
Modified
13 January 2025
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0006 18.6th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-43064 is a high-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability in Qualcomm Qam8255P Firmware. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 18.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).

Deeper analysis

CVE-2024-43064 is a vulnerability that causes uncontrolled resource consumption when a driver, an application, or an SMMU client attempts to access global registers through the SMMU. Published on 2025-01-06, it is associated with CWE-264 (Permissions, Privileges, and Access Control) and CWE-770 (Allocation of Resources Without Limits or Throttling). The issue affects components in Qualcomm products, as referenced in their security documentation.

Exploitation requires local access (AV:L), high attack complexity (AC:H), and high privileges (PR:H), with no user interaction (UI:N). A successful attack changes scope (S:C) and achieves high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), resulting in a CVSS v3.1 base score of 7.5.

Qualcomm's January 2025 security bulletin (https://docs.qualcomm.com/product/publicresources/securitybulletin/january-2025-bulletin.html) details the vulnerability and associated mitigations or patches.

EU & UK References

Vulnerability details

Uncontrolled resource consumption when a driver, an application or a SMMU client tries to access the global registers through SMMU.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

SMMU global register access flaw with scope change and high CIA impact enables local priv esc (T1068) and system/application DoS via resource exhaustion (T1499.004).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-53032Same product: Qualcomm Qam8255P
CVE-2024-53031Same product: Qualcomm Qam8255P
CVE-2024-49837Same product: Qualcomm Qam8255P
CVE-2024-53012Same product: Qualcomm Qam8255P
CVE-2024-53029Same product: Qualcomm Qam8255P
CVE-2024-53022Same product: Qualcomm Qam8255P
CVE-2025-47363Same product: Qualcomm Qam8255P
CVE-2024-53028Same product: Qualcomm Qam8255P
CVE-2025-47393Same product: Qualcomm Qam8255P
CVE-2024-53030Same product: Qualcomm Qam8255P

Affected Assets

qualcomm
qam8255p firmware
all versions
qualcomm
qam8295p firmware
all versions
qualcomm
qam8620p firmware
all versions
qualcomm
qam8650p firmware
all versions
qualcomm
qam8775p firmware
all versions
qualcomm
qamsrv1h firmware
all versions
qualcomm
qamsrv1m firmware
all versions
qualcomm
qca6574au firmware
all versions
qualcomm
qca6595 firmware
all versions
qualcomm
qca6595au firmware
all versions
+20 more product configuration(s) — see NVD for full list

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the specific SMMU register access flaw through timely application of Qualcomm patches detailed in the January 2025 security bulletin.

preventdetect

Implements denial-of-service protections including resource throttling and limiting to counter uncontrolled resource consumption from SMMU access attempts.

prevent

Protects system resource availability against exhaustion caused by drivers, applications, or SMMU clients improperly accessing global registers.

References