CVE-2024-45546
Published: 06 January 2025
Summary
CVE-2024-45546 is a high-severity Buffer Over-read (CWE-126) vulnerability in Qualcomm Fastconnect 6900 Firmware. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 33.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Deeper analysis
CVE-2024-45546 is a memory corruption vulnerability stemming from improper handling of FIPS encryption or decryption IOCTL calls invoked from user-space. It affects Qualcomm components, as detailed in their security bulletin, and is associated with CWE-126 (Buffer Over-read) and CWE-125 (Out-of-bounds Read). The issue carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high potential impact on confidentiality, integrity, and availability.
A local attacker with low privileges, such as a standard user on the affected system, can exploit this vulnerability due to its low attack complexity and lack of user interaction requirements. Successful exploitation triggers memory corruption, potentially allowing arbitrary code execution, data tampering, or system crashes within the context of the vulnerable component.
Qualcomm has addressed this issue in their January 2025 security bulletin, available at https://docs.qualcomm.com/product/publicresources/securitybulletin/january-2025-bulletin.html, which provides details on affected products and recommended patches or mitigations for security practitioners.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-41260
Vulnerability details
Memory corruption while processing FIPS encryption or decryption IOCTL call invoked from user-space.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local memory corruption in kernel-adjacent IOCTL handler directly enables arbitrary code execution from low-privileged context, matching the definition of Exploitation for Privilege Escalation.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Flaw remediation directly addresses the memory corruption vulnerability by applying Qualcomm's patches for the IOCTL handling issue.
Information input validation enforces proper bounds checking on user-space FIPS encryption/decryption IOCTL parameters to prevent buffer over-reads.
Memory protection mechanisms such as address space layout randomization and data execution prevention mitigate exploitation of the memory corruption even if input validation fails.