Cyber Posture

CVE-2024-45550

High

Published: 06 January 2025

Published
06 January 2025
Modified
13 January 2025
KEV Added
Patch
CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0011 29.7th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-45550 is a high-severity Improper Validation of Array Index (CWE-129) vulnerability in Qualcomm Fastconnect 6900 Firmware. Its CVSS base score is 7.8 (High).

Operationally, ranked at the 29.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

SI-2 requires timely flaw remediation through patching, directly addressing the memory corruption vulnerability in the MCDM driver as detailed in Qualcomm's bulletin.

SI-16 Memory Protection good match
prevent

SI-16 enforces memory protections such as ASLR and DEP that mitigate exploitation of memory corruption via improper array index validation in IOCTL calls.

SI-10 Information Input Validation good match
prevent

SI-10 mandates validation of inputs to the system, preventing the CWE-129 improper array index issue in MCDM driver IOCTL processing.

NVD Description

Memory corruption occurs when invoking any IOCTL-calling application that executes all MCDM driver IOCTL calls.

Deeper analysisAI

CVE-2024-45550 is a memory corruption vulnerability, classified under CWE-129 (Improper Validation of Array Index), that occurs when invoking any IOCTL-calling application that executes all MCDM driver IOCTL calls. It affects the MCDM driver within Qualcomm components. The vulnerability received a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and was published on January 6, 2025.

A local attacker with low privileges can exploit this vulnerability with low complexity and no user interaction required. Successful exploitation enables high-impact consequences, including unauthorized access to confidential data, modification of system integrity, and disruption of availability, potentially leading to full system compromise.

Qualcomm's January 2025 security bulletin, available at https://docs.qualcomm.com/product/publicresources/securitybulletin/january-2025-bulletin.html, provides details on affected products and recommended mitigations or patches.

Details

CWE(s)
CWE-129

Affected Products

qualcomm
fastconnect 6900 firmware
all versions
qualcomm
fastconnect 7800 firmware
all versions
qualcomm
sc8380xp firmware
all versions
qualcomm
wcd9380 firmware
all versions
qualcomm
wcd9385 firmware
all versions
qualcomm
wsa8840 firmware
all versions
qualcomm
wsa8845 firmware
all versions
qualcomm
wsa8845h firmware
all versions

CVEs Like This One

CVE-2024-53033Same product: Qualcomm Fastconnect 6900
CVE-2024-53034Same product: Qualcomm Fastconnect 6900
CVE-2024-49840Same product: Qualcomm Fastconnect 6900
CVE-2024-45547Same product: Qualcomm Fastconnect 6900
CVE-2024-45546Same product: Qualcomm Fastconnect 6900
CVE-2024-45548Same product: Qualcomm Fastconnect 6900
CVE-2024-49836Same product: Qualcomm Fastconnect 6900
CVE-2024-49832Same product: Qualcomm Fastconnect 6900
CVE-2024-45582Same product: Qualcomm Fastconnect 6900
CVE-2024-49843Same product: Qualcomm Fastconnect 7800

References