Cyber Resilience

CVE-2024-45546

High

Published: 06 January 2025

Published
06 January 2025
Modified
13 January 2025
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0013 33.1th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-45546 is a high-severity Buffer Over-read (CWE-126) vulnerability in Qualcomm Fastconnect 6900 Firmware. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 33.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Deeper analysis

CVE-2024-45546 is a memory corruption vulnerability stemming from improper handling of FIPS encryption or decryption IOCTL calls invoked from user-space. It affects Qualcomm components, as detailed in their security bulletin, and is associated with CWE-126 (Buffer Over-read) and CWE-125 (Out-of-bounds Read). The issue carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high potential impact on confidentiality, integrity, and availability.

A local attacker with low privileges, such as a standard user on the affected system, can exploit this vulnerability due to its low attack complexity and lack of user interaction requirements. Successful exploitation triggers memory corruption, potentially allowing arbitrary code execution, data tampering, or system crashes within the context of the vulnerable component.

Qualcomm has addressed this issue in their January 2025 security bulletin, available at https://docs.qualcomm.com/product/publicresources/securitybulletin/january-2025-bulletin.html, which provides details on affected products and recommended patches or mitigations for security practitioners.

EU & UK References

Vulnerability details

Memory corruption while processing FIPS encryption or decryption IOCTL call invoked from user-space.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Local memory corruption in kernel-adjacent IOCTL handler directly enables arbitrary code execution from low-privileged context, matching the definition of Exploitation for Privilege Escalation.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-45548Same product: Qualcomm Fastconnect 6900
CVE-2024-49840Same product: Qualcomm Fastconnect 6900
CVE-2024-45547Same product: Qualcomm Fastconnect 6900
CVE-2024-45550Same product: Qualcomm Fastconnect 6900
CVE-2024-53033Same product: Qualcomm Fastconnect 6900
CVE-2024-53034Same product: Qualcomm Fastconnect 6900
CVE-2025-47390Same product: Qualcomm Fastconnect 6900
CVE-2024-45561Same product: Qualcomm Fastconnect 6900
CVE-2026-21375Same product: Qualcomm Fastconnect 6900
CVE-2025-47405Same product: Qualcomm Fastconnect 6900

Affected Assets

qualcomm
fastconnect 6900 firmware
all versions
qualcomm
fastconnect 7800 firmware
all versions
qualcomm
qcc2073 firmware
all versions
qualcomm
qcc2076 firmware
all versions
qualcomm
sc8380xp firmware
all versions
qualcomm
wcd9380 firmware
all versions
qualcomm
wcd9385 firmware
all versions
qualcomm
wsa8840 firmware
all versions
qualcomm
wsa8845 firmware
all versions
qualcomm
wsa8845h firmware
all versions

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Flaw remediation directly addresses the memory corruption vulnerability by applying Qualcomm's patches for the IOCTL handling issue.

prevent

Information input validation enforces proper bounds checking on user-space FIPS encryption/decryption IOCTL parameters to prevent buffer over-reads.

prevent

Memory protection mechanisms such as address space layout randomization and data execution prevention mitigate exploitation of the memory corruption even if input validation fails.

References