CVE-2024-45553
Published: 06 January 2025
Summary
CVE-2024-45553 is a high-severity Use After Free (CWE-416) vulnerability in Qualcomm Ar8035 Firmware. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 35.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-4 (Information in Shared System Resources) and SI-16 (Memory Protection).
Deeper analysis
CVE-2024-45553 is a memory corruption vulnerability classified under CWE-416 (use-after-free). It affects Qualcomm components, where process-specific maps added to a global list can lead to corruption if a map is removed from the global list while another thread is using it for a process-specific task. The vulnerability received a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and was published on January 6, 2025.
A local attacker with low privileges can exploit this vulnerability with low attack complexity and no user interaction required. Successful exploitation may result in high impacts to confidentiality, integrity, and availability, potentially allowing arbitrary code execution or system crashes through the memory corruption triggered by the race condition between threads.
The Qualcomm January 2025 security bulletin provides details on affected products and recommended mitigations or patches, available at https://docs.qualcomm.com/product/publicresources/securitybulletin/january-2025-bulletin.html.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-41264
Vulnerability details
Memory corruption can occur when process-specific maps are added to the global list. If a map is removed from the global list while another thread is using it for a process-specific task, issues may arise.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local use-after-free memory corruption enables arbitrary code execution for privilege escalation on affected Qualcomm components.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-16 implements memory protection mechanisms such as address space layout randomization and data execution prevention to directly mitigate use-after-free memory corruption vulnerabilities.
SC-4 prevents unauthorized information transfer and corruption in shared system resources like the global list of process-specific maps accessed concurrently by threads.
SI-2 ensures timely flaw remediation by applying vendor patches from the Qualcomm January 2025 security bulletin to eliminate the race condition causing use-after-free.