CVE-2024-45561
Published: 03 February 2025
Summary
CVE-2024-45561 is a high-severity Buffer Over-read (CWE-126) vulnerability in Qualcomm Aqt1000 Firmware. Its CVSS base score is 7.8 (High).
Operationally, ranked at the 29.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Implements memory protection mechanisms that directly mitigate buffer over-read and use-after-free vulnerabilities during IOCTL handling.
Requires validation of user-space IOCTL inputs to block specially crafted calls that trigger memory corruption.
Restricts access to I/O devices and control channels, limiting local attackers' ability to send malicious IOCTLs.
NVD Description
Memory corruption while handling IOCTL call from user-space to set latency level.
Deeper analysisAI
CVE-2024-45561 is a memory corruption vulnerability, associated with CWE-126 (Buffer Over-read) and CWE-416 (Use After Free), that occurs while handling an IOCTL call from user-space to set latency level. It affects Qualcomm components, as documented in their public security resources.
The vulnerability has a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating a local attack vector with low attack complexity and low required privileges. A local attacker could exploit it by sending a specially crafted IOCTL call, potentially achieving high impacts on confidentiality, integrity, and availability, such as arbitrary code execution in the context of the affected component.
Qualcomm's February 2025 security bulletin provides details on affected products and mitigation, available at https://docs.qualcomm.com/product/publicresources/securitybulletin/february-2025-bulletin.html.
Details
- CWE(s)