Cyber Posture

CVE-2024-45584

High

Published: 03 February 2025

Published
03 February 2025
Modified
05 February 2025
KEV Added
Patch
CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0011 29.7th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-45584 is a high-severity Untrusted Pointer Dereference (CWE-822) vulnerability in Qualcomm Ar8035 Firmware. Its CVSS base score is 7.8 (High).

Operationally, ranked at the 29.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-16 Memory Protection good match
prevent

Implements memory safeguards such as address space randomization and data execution prevention to directly mitigate untrusted pointer dereferences and buffer overflows in kernel IOCTL handling.

SI-10 Information Input Validation good match
prevent

Requires validation of userspace IOCTL inputs to prevent memory corruption from invalid pointers and buffer overflows triggered by compat followed by normal IOCTL calls.

SI-2 Flaw Remediation good match
prevent

Mandates timely identification, reporting, and patching of flaws like CVE-2024-45584 as detailed in the Qualcomm February 2025 security bulletin.

NVD Description

Memory corruption can occur when a compat IOCTL call is followed by a normal IOCTL call from userspace.

Deeper analysisAI

CVE-2024-45584 is a memory corruption vulnerability associated with CWE-822 (Untrusted Pointer Dereference) and CWE-119 (Buffer Overflow). It occurs when a compatibility IOCTL call is followed by a normal IOCTL call from userspace. The vulnerability affects Qualcomm products, as outlined in their February 2025 security bulletin, and carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). It was published on 2025-02-03.

A local attacker with low privileges can exploit this issue with low attack complexity and no user interaction. Exploitation leads to high impacts on confidentiality, integrity, and availability, enabling potential arbitrary code execution, data tampering, or denial of service within the affected system scope.

The Qualcomm February 2025 security bulletin at https://docs.qualcomm.com/product/publicresources/securitybulletin/february-2025-bulletin.html provides details on mitigation, including identification of affected products and recommended patches or updates.

Details

CWE(s)
CWE-822CWE-119

Affected Products

qualcomm
ar8035 firmware
all versions
qualcomm
fastconnect 6200 firmware
all versions
qualcomm
fastconnect 6900 firmware
all versions
qualcomm
fastconnect 7800 firmware
all versions
qualcomm
qam8255p firmware
all versions
qualcomm
qam8295p firmware
all versions
qualcomm
qam8620p firmware
all versions
qualcomm
qam8650p firmware
all versions
qualcomm
qam8775p firmware
all versions
qualcomm
qamsrv1h firmware
all versions
+114 more product configuration(s) — see NVD for full list

CVEs Like This One

CVE-2024-45553Same product: Qualcomm Ar8035
CVE-2024-53023Same product: Qualcomm Ar8035
CVE-2024-49838Same product: Qualcomm Ar8035
CVE-2025-47366Same product: Qualcomm Ar8035
CVE-2025-47408Same product: Qualcomm Fastconnect 6200
CVE-2025-47405Same product: Qualcomm Fastconnect 6900
CVE-2024-53034Same product: Qualcomm Fastconnect 6900
CVE-2024-53033Same product: Qualcomm Fastconnect 6900
CVE-2025-47345Same product: Qualcomm Ar8035
CVE-2025-47346Same product: Qualcomm Ar8035

References