Cyber Resilience

CVE-2024-45569

Critical

Published: 03 February 2025

Published
03 February 2025
Modified
05 February 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0045 63.9th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-45569 is a critical-severity Improper Validation of Array Index (CWE-129) vulnerability in Qualcomm Ar8035 Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked in the top 36.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

This vulnerability is AI-related — categorised as Mobile/Edge AI; in the Data-Related Vulnerabilities risk domain; MITRE ATLAS techniques in scope: External Harms (AML.T0048).

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Deeper analysis

CVE-2024-45569 is a memory corruption vulnerability stemming from improper validation of array index (CWE-129) while parsing the ML IE due to invalid frame content. It affects components in Qualcomm products, as documented in the vendor's February 2025 security bulletin.

The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating it is exploitable over the network by unauthenticated attackers requiring low complexity and no user interaction. Successful exploitation could result in high impacts to confidentiality, integrity, and availability, such as arbitrary code execution or system compromise.

Qualcomm's February 2025 security bulletin at https://docs.qualcomm.com/product/publicresources/securitybulletin/february-2025-bulletin.html details affected products and provides guidance on patches or mitigations. Security practitioners should consult this advisory for specific remediation steps.

EU & UK References

Vulnerability details

Memory corruption while parsing the ML IE due to invalid frame content.

CWE(s)

AI Security AnalysisAI

AI Category
Mobile/Edge AI
Risk Domain
Data-Related Vulnerabilities
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: ml

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Memory corruption vulnerability in parsing malformed ML IE in wireless frames enables remote exploitation for privilege escalation (e.g., kernel/driver RCE) or endpoint denial of service via application/system crash.

MITRE ATLAS TechniquesAI

MITRE ATLAS techniques

AML.T0048: External Harms

CVEs Like This One

CVE-2024-45558Same product: Qualcomm Ar8035
CVE-2024-45571Same product: Qualcomm Ar8035
CVE-2024-49833Same product: Qualcomm Fastconnect 6700
CVE-2024-49834Same product: Qualcomm Fastconnect 6700
CVE-2024-53014Same product: Qualcomm Ar8035
CVE-2024-45582Same product: Qualcomm Fastconnect 6900
CVE-2024-49839Same product: Qualcomm Ar8035
CVE-2024-49843Same product: Qualcomm Fastconnect 7800
CVE-2024-49837Same product: Qualcomm Qam8255P
CVE-2026-25276Same product: Qualcomm Fastconnect 6700

Affected Assets

qualcomm
ar8035 firmware
all versions
qualcomm
csr8811 firmware
all versions
qualcomm
fastconnect 6700 firmware
all versions
qualcomm
fastconnect 6900 firmware
all versions
qualcomm
fastconnect 7800 firmware
all versions
qualcomm
immersive home 214 firmware
all versions
qualcomm
immersive home 216 firmware
all versions
qualcomm
immersive home 316 firmware
all versions
qualcomm
immersive home 318 firmware
all versions
qualcomm
immersive home 3210 firmware
all versions
+164 more product configuration(s) — see NVD for full list

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-10 requires validation of information inputs like ML IE frames to prevent improper array index handling and memory corruption from invalid content.

prevent

SI-16 implements memory safeguards such as address space layout randomization or data execution prevention to mitigate exploitation of memory corruption vulnerabilities.

preventrecover

SI-2 ensures timely identification, reporting, and patching of flaws like CVE-2024-45569 as detailed in Qualcomm's security bulletin.

References