Cyber Posture

CVE-2024-45580

High

Published: 03 March 2025

Published
03 March 2025
Modified
06 March 2025
KEV Added
Patch
CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0016 36.4th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-45580 is a high-severity Use After Free (CWE-416) vulnerability in Qualcomm Fastconnect 6900 Firmware. Its CVSS base score is 7.8 (High).

Operationally, ranked at the 36.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly remediates the Use After Free memory corruption vulnerability by requiring timely application of vendor-supplied patches for affected Qualcomm components.

SI-16 Memory Protection good match
prevent

Implements memory safeguards such as ASLR and DEP to protect against exploitation of Use After Free vulnerabilities during IOCTL handling from userspace.

SI-5 Security Alerts, Advisories, and Directives good match
detect

Ensures monitoring of security advisories like Qualcomm's bulletin to identify and respond to CVE-2024-45580 in affected products.

NVD Description

Memory corruption while handling multuple IOCTL calls from userspace for remote invocation.

Deeper analysisAI

CVE-2024-45580 is a memory corruption vulnerability, classified under CWE-416 (Use After Free), occurring while handling multiple IOCTL calls from userspace for remote invocation. It affects Qualcomm components, as detailed in the vendor's security bulletin. The vulnerability carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high impact potential from local exploitation.

A local attacker with low privileges can exploit this issue with low complexity and no user interaction required. Successful exploitation enables high confidentiality, integrity, and availability impacts, potentially allowing arbitrary code execution, data tampering, or system crashes through the memory corruption triggered by the IOCTL handling.

Qualcomm's March 2025 security bulletin (https://docs.qualcomm.com/product/publicresources/securitybulletin/march-2025-bulletin.html) provides details on affected products and recommends applying vendor-supplied patches to mitigate the vulnerability. Security practitioners should review the bulletin for specific firmware or driver updates applicable to their environments.

Details

CWE(s)
CWE-416

Affected Products

qualcomm
fastconnect 6900 firmware
all versions
qualcomm
fastconnect 7800 firmware
all versions
qualcomm
qmp1000 firmware
all versions
qualcomm
sdm429w firmware
all versions
qualcomm
sm8735 firmware
all versions
qualcomm
sm8750 firmware
all versions
qualcomm
sm8750p firmware
all versions
qualcomm
snapdragon 429 firmware
all versions
qualcomm
snapdragon 8 gen 3 firmware
all versions
qualcomm
snapdragon ar1 gen 1 firmware
all versions
+27 more product configuration(s) — see NVD for full list

CVEs Like This One

CVE-2024-43062Same product: Qualcomm Fastconnect 6900
CVE-2024-33055Same product: Qualcomm Fastconnect 6900
CVE-2024-43059Same product: Qualcomm Fastconnect 6900
CVE-2024-49836Same product: Qualcomm Fastconnect 6900
CVE-2024-43061Same product: Qualcomm Fastconnect 6900
CVE-2024-33059Same product: Qualcomm Fastconnect 6900
CVE-2026-21380Same product: Qualcomm Fastconnect 6900
CVE-2024-38411Same product: Qualcomm Fastconnect 6900
CVE-2025-47358Same product: Qualcomm Fastconnect 6900
CVE-2025-47398Same product: Qualcomm Fastconnect 6900

References