CVE-2024-45548
Published: 06 January 2025
Summary
CVE-2024-45548 is a high-severity Buffer Over-read (CWE-126) vulnerability in Qualcomm Fastconnect 6900 Firmware. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 27.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Deeper analysis
CVE-2024-45548 is a memory corruption vulnerability, associated with CWE-126 and CWE-125, that occurs while processing FIPS encryption or decryption validation functionality in an IOCTL call. It has a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and affects Qualcomm components, as documented in their security resources.
A local attacker with low privileges can exploit this vulnerability with low attack complexity and no user interaction required. Successful exploitation enables high-impact consequences, including unauthorized access to sensitive data, modification of system integrity, and disruption of availability.
Qualcomm has published details on mitigations in their January 2025 security bulletin, available at https://docs.qualcomm.com/product/publicresources/securitybulletin/january-2025-bulletin.html. Security practitioners should consult this advisory for patch information and recommended actions.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-41262
Vulnerability details
Memory corruption while processing FIPS encryption or decryption validation functionality IOCTL call.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local memory corruption via IOCTL directly enables kernel-level privilege escalation (T1068) by a low-privileged attacker.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly remediates the specific memory corruption vulnerability in Qualcomm's FIPS IOCTL processing by applying vendor patches from the January 2025 security bulletin.
Implements memory safeguards like ASLR, DEP, and stack canaries to protect against exploitation of buffer overflows and overreads in IOCTL handling.
Requires validation of IOCTL inputs for FIPS encryption/decryption to prevent memory corruption from malformed parameters.