Cyber Posture

CVE-2024-45547

High

Published: 06 January 2025

Published
06 January 2025
Modified
13 January 2025
KEV Added
Patch
CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0010 27.1th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-45547 is a high-severity Classic Buffer Overflow (CWE-120) vulnerability in Qualcomm Fastconnect 6900 Firmware. Its CVSS base score is 7.8 (High).

Operationally, ranked at the 27.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Applying vendor-provided firmware and software updates directly remediates the memory corruption vulnerability in the IOCTL processing code.

SI-10 Information Input Validation good match
prevent

Validating IOCTL input parameters, including buffer sizes, prevents buffer copy without size checking that triggers the memory corruption.

SI-16 Memory Protection partial match
prevent

Memory protection mechanisms such as ASLR and DEP mitigate exploitation of the memory corruption vulnerability even if triggered.

NVD Description

Memory corruption while processing IOCTL call invoked from user-space to verify non extension FIPS encryption and decryption functionality.

Deeper analysisAI

CVE-2024-45547 is a memory corruption vulnerability (CWE-120) that occurs during processing of an IOCTL call invoked from user-space to verify non-extension FIPS encryption and decryption functionality. It affects Qualcomm components, as documented in their January 2025 security bulletin. The vulnerability has a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high impact potential with low attack complexity and privileges required.

Local attackers with low privileges (PR:L) can exploit this by sending a specially crafted IOCTL call from user-space, triggering buffer copy without size checking. Successful exploitation enables high confidentiality, integrity, and availability impacts, potentially allowing arbitrary code execution, privilege escalation, or system crashes on affected Qualcomm devices.

Qualcomm's January 2025 security bulletin (https://docs.qualcomm.com/product/publicresources/securitybulletin/january-2025-bulletin.html) advises applying the provided firmware or software updates to remediate the issue. No further mitigation details are available from the referenced advisory.

Details

CWE(s)
CWE-120

Affected Products

qualcomm
fastconnect 6900 firmware
all versions
qualcomm
fastconnect 7800 firmware
all versions
qualcomm
qcc2073 firmware
all versions
qualcomm
qcc2076 firmware
all versions
qualcomm
sc8380xp firmware
all versions
qualcomm
wcd9380 firmware
all versions
qualcomm
wcd9385 firmware
all versions
qualcomm
wsa8840 firmware
all versions
qualcomm
wsa8845 firmware
all versions
qualcomm
wsa8845h firmware
all versions

CVEs Like This One

CVE-2024-49840Same product: Qualcomm Fastconnect 6900
CVE-2024-45546Same product: Qualcomm Fastconnect 6900
CVE-2024-45548Same product: Qualcomm Fastconnect 6900
CVE-2026-21382Same product: Qualcomm Fastconnect 6900
CVE-2024-45550Same product: Qualcomm Fastconnect 6900
CVE-2024-53034Same product: Qualcomm Fastconnect 6900
CVE-2024-53033Same product: Qualcomm Fastconnect 6900
CVE-2024-43055Same product: Qualcomm Fastconnect 6900
CVE-2025-47399Same product: Qualcomm Fastconnect 7800
CVE-2024-45541Same product: Qualcomm Fastconnect 6900

References