Cyber Posture

CVE-2024-45555

High

Published: 06 January 2025

Published
06 January 2025
Modified
13 January 2025
KEV Added
Patch
CVSS Score 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0002 4.7th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-45555 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Qualcomm Msm8996Au Firmware. Its CVSS base score is 8.4 (High).

Operationally, ranked at the 4.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-34 (Non-modifiable Executable Programs) and SI-16 (Memory Protection).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-16 Memory Protection good match
prevent

Implements memory protection mechanisms that directly mitigate memory corruption vulnerabilities (CWE-787, CWE-190) enabling overwrite of verified IFS2 boot images.

SC-34 Non-modifiable Executable Programs good match
prevent

Prevents modification of non-modifiable executable programs, such as verified security-sensitive IFS2 boot images, during the boot process.

SI-7 Software, Firmware, and Information Integrity good match
preventdetect

Enforces integrity verification of software, firmware, and boot images to prevent execution of tampered IFS2 system images post-overwrite.

NVD Description

Memory corruption can occur if an already verified IFS2 image is overwritten, bypassing boot verification. This allows unauthorized programs to be injected into security-sensitive images, enabling the booting of a tampered IFS2 system image.

Deeper analysisAI

CVE-2024-45555 is a memory corruption vulnerability (CWE-787, CWE-190) in the IFS2 image verification process within Qualcomm products. It arises when an already verified IFS2 image is overwritten, bypassing boot verification mechanisms. This flaw allows unauthorized programs to be injected into security-sensitive images, enabling the booting of a tampered IFS2 system image. The vulnerability has a CVSS v3.1 base score of 8.4 (AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and was published on 2025-01-06.

A local attacker can exploit this vulnerability with low attack complexity and no privileges or user interaction required. By overwriting the verified IFS2 image, the attacker achieves memory corruption, injecting malicious code into security-sensitive boot images. Successful exploitation enables booting a fully tampered IFS2 system image, compromising confidentiality, integrity, and availability at a high level.

Mitigation details are provided in the Qualcomm January 2025 Security Bulletin, available at https://docs.qualcomm.com/product/publicresources/securitybulletin/january-2025-bulletin.html.

Details

CWE(s)
CWE-787CWE-190

Affected Products

qualcomm
msm8996au firmware
all versions
qualcomm
qam8255p firmware
all versions
qualcomm
qam8295p firmware
all versions
qualcomm
qam8620p firmware
all versions
qualcomm
qam8650p firmware
all versions
qualcomm
qam8775p firmware
all versions
qualcomm
qamsrv1h firmware
all versions
qualcomm
qamsrv1m firmware
all versions
qualcomm
qca6564a firmware
all versions
qualcomm
qca6564au firmware
all versions
+31 more product configuration(s) — see NVD for full list

CVEs Like This One

CVE-2024-53030Same product: Qualcomm Msm8996Au
CVE-2025-47364Same product: Qualcomm Qam8255P
CVE-2025-47363Same product: Qualcomm Qam8255P
CVE-2024-53028Same product: Qualcomm Qam8255P
CVE-2024-53012Same product: Qualcomm Qam8255P
CVE-2024-53031Same product: Qualcomm Qam8255P
CVE-2024-53029Same product: Qualcomm Qam8255P
CVE-2024-53022Same product: Qualcomm Qam8255P
CVE-2024-53032Same product: Qualcomm Qam8255P
CVE-2024-49837Same product: Qualcomm Qam8255P

References