Cyber Posture

CVE-2024-45553

High

Published: 06 January 2025

Published
06 January 2025
Modified
11 August 2025
KEV Added
Patch
CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0011 29.3th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-45553 is a high-severity Use After Free (CWE-416) vulnerability in Qualcomm Ar8035 Firmware. Its CVSS base score is 7.8 (High).

Operationally, ranked at the 29.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-4 (Information in Shared System Resources) and SI-16 (Memory Protection).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-16 Memory Protection good match
prevent

SI-16 implements memory protection mechanisms such as address space layout randomization and data execution prevention to directly mitigate use-after-free memory corruption vulnerabilities.

SC-4 Information in Shared System Resources good match
prevent

SC-4 prevents unauthorized information transfer and corruption in shared system resources like the global list of process-specific maps accessed concurrently by threads.

SI-2 Flaw Remediation good match
prevent

SI-2 ensures timely flaw remediation by applying vendor patches from the Qualcomm January 2025 security bulletin to eliminate the race condition causing use-after-free.

NVD Description

Memory corruption can occur when process-specific maps are added to the global list. If a map is removed from the global list while another thread is using it for a process-specific task, issues may arise.

Deeper analysisAI

CVE-2024-45553 is a memory corruption vulnerability classified under CWE-416 (use-after-free). It affects Qualcomm components, where process-specific maps added to a global list can lead to corruption if a map is removed from the global list while another thread is using it for a process-specific task. The vulnerability received a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and was published on January 6, 2025.

A local attacker with low privileges can exploit this vulnerability with low attack complexity and no user interaction required. Successful exploitation may result in high impacts to confidentiality, integrity, and availability, potentially allowing arbitrary code execution or system crashes through the memory corruption triggered by the race condition between threads.

The Qualcomm January 2025 security bulletin provides details on affected products and recommended mitigations or patches, available at https://docs.qualcomm.com/product/publicresources/securitybulletin/january-2025-bulletin.html.

Details

CWE(s)
CWE-416

Affected Products

qualcomm
ar8035 firmware
all versions
qualcomm
fastconnect 6200 firmware
all versions
qualcomm
fastconnect 6700 firmware
all versions
qualcomm
fastconnect 6900 firmware
all versions
qualcomm
fastconnect 7800 firmware
all versions
qualcomm
flight rb5 5g firmware
all versions
qualcomm
qam8255p firmware
all versions
qualcomm
qam8295p firmware
all versions
qualcomm
qam8620p firmware
all versions
qualcomm
qam8650p firmware
all versions
+118 more product configuration(s) — see NVD for full list

CVEs Like This One

CVE-2024-53023Same product: Qualcomm Ar8035
CVE-2026-24082Same product: Qualcomm Ar8035
CVE-2025-47398Same product: Qualcomm Fastconnect 6200
CVE-2025-47377Same product: Qualcomm Ar8035
CVE-2025-21424Same product: Qualcomm Ar8035
CVE-2025-47376Same product: Qualcomm Ar8035
CVE-2025-47386Same product: Qualcomm Ar8035
CVE-2025-47375Same product: Qualcomm Ar8035
CVE-2025-47339Same product: Qualcomm Ar8035
CVE-2025-47379Same product: Qualcomm Ar8035

References