Cyber Posture

CVE-2024-45548

High

Published: 06 January 2025

Published
06 January 2025
Modified
13 January 2025
KEV Added
Patch
CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0007 21.9th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-45548 is a high-severity Buffer Over-read (CWE-126) vulnerability in Qualcomm Fastconnect 6900 Firmware. Its CVSS base score is 7.8 (High).

Operationally, ranked at the 21.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly remediates the specific memory corruption vulnerability in Qualcomm's FIPS IOCTL processing by applying vendor patches from the January 2025 security bulletin.

SI-16 Memory Protection good match
prevent

Implements memory safeguards like ASLR, DEP, and stack canaries to protect against exploitation of buffer overflows and overreads in IOCTL handling.

SI-10 Information Input Validation good match
prevent

Requires validation of IOCTL inputs for FIPS encryption/decryption to prevent memory corruption from malformed parameters.

NVD Description

Memory corruption while processing FIPS encryption or decryption validation functionality IOCTL call.

Deeper analysisAI

CVE-2024-45548 is a memory corruption vulnerability, associated with CWE-126 and CWE-125, that occurs while processing FIPS encryption or decryption validation functionality in an IOCTL call. It has a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and affects Qualcomm components, as documented in their security resources.

A local attacker with low privileges can exploit this vulnerability with low attack complexity and no user interaction required. Successful exploitation enables high-impact consequences, including unauthorized access to sensitive data, modification of system integrity, and disruption of availability.

Qualcomm has published details on mitigations in their January 2025 security bulletin, available at https://docs.qualcomm.com/product/publicresources/securitybulletin/january-2025-bulletin.html. Security practitioners should consult this advisory for patch information and recommended actions.

Details

CWE(s)
CWE-126CWE-125

Affected Products

qualcomm
fastconnect 6900 firmware
all versions
qualcomm
fastconnect 7800 firmware
all versions
qualcomm
qcc2073 firmware
all versions
qualcomm
qcc2076 firmware
all versions
qualcomm
sc8380xp firmware
all versions
qualcomm
wcd9380 firmware
all versions
qualcomm
wcd9385 firmware
all versions
qualcomm
wsa8840 firmware
all versions
qualcomm
wsa8845 firmware
all versions
qualcomm
wsa8845h firmware
all versions

CVEs Like This One

CVE-2024-45546Same product: Qualcomm Fastconnect 6900
CVE-2024-49840Same product: Qualcomm Fastconnect 6900
CVE-2024-45547Same product: Qualcomm Fastconnect 6900
CVE-2024-45550Same product: Qualcomm Fastconnect 6900
CVE-2024-53034Same product: Qualcomm Fastconnect 6900
CVE-2024-53033Same product: Qualcomm Fastconnect 6900
CVE-2024-38404Same product: Qualcomm Fastconnect 7800
CVE-2024-49838Same product: Qualcomm Fastconnect 6900
CVE-2024-45558Same product: Qualcomm Fastconnect 6900
CVE-2024-49839Same product: Qualcomm Fastconnect 6900

References