CVE-2024-45550
Published: 06 January 2025
Summary
CVE-2024-45550 is a high-severity Improper Validation of Array Index (CWE-129) vulnerability in Qualcomm Fastconnect 6900 Firmware. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 36.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Deeper analysis
CVE-2024-45550 is a memory corruption vulnerability, classified under CWE-129 (Improper Validation of Array Index), that occurs when invoking any IOCTL-calling application that executes all MCDM driver IOCTL calls. It affects the MCDM driver within Qualcomm components. The vulnerability received a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and was published on January 6, 2025.
A local attacker with low privileges can exploit this vulnerability with low complexity and no user interaction required. Successful exploitation enables high-impact consequences, including unauthorized access to confidential data, modification of system integrity, and disruption of availability, potentially leading to full system compromise.
Qualcomm's January 2025 security bulletin, available at https://docs.qualcomm.com/product/publicresources/securitybulletin/january-2025-bulletin.html, provides details on affected products and recommended mitigations or patches.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-41263
Vulnerability details
Memory corruption occurs when invoking any IOCTL-calling application that executes all MCDM driver IOCTL calls.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local memory corruption vulnerability in Qualcomm MCDM driver via IOCTL allows low-privileged attacker to achieve arbitrary code execution and full system compromise, directly mapping to exploitation for privilege escalation.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-2 requires timely flaw remediation through patching, directly addressing the memory corruption vulnerability in the MCDM driver as detailed in Qualcomm's bulletin.
SI-16 enforces memory protections such as ASLR and DEP that mitigate exploitation of memory corruption via improper array index validation in IOCTL calls.
SI-10 mandates validation of inputs to the system, preventing the CWE-129 improper array index issue in MCDM driver IOCTL processing.