CVE-2024-49833
Published: 03 February 2025
Summary
CVE-2024-49833 is a high-severity Improper Validation of Array Index (CWE-129) vulnerability in Qualcomm Fastconnect 6700 Firmware. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 29.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires validation of inputs like invalid Camera IDs to prevent memory corruption in the camera component.
Mandates timely remediation of the identified memory corruption flaw via application of Qualcomm patches.
Provides comprehensive memory protection mechanisms to mitigate exploitation of memory corruption triggered by invalid CIDs.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local memory corruption in Qualcomm camera component directly enables arbitrary code execution from low-privileged context, mapping to exploitation for privilege escalation.
NVD Description
Memory corruption can occur in the camera when an invalid CID is used.
Deeper analysisAI
CVE-2024-49833 is a memory corruption vulnerability (CWE-129) in the camera component of Qualcomm products, triggered when an invalid Camera ID (CID) is used. It has a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high impact on confidentiality, integrity, and availability. The issue stems from improper validation leading to memory corruption.
A local attacker with low privileges, such as a standard user on the affected system, can exploit this vulnerability with low complexity and no user interaction required. Successful exploitation could allow arbitrary code execution, data tampering, or system crashes within the camera subsystem's scope, potentially compromising the device.
Qualcomm has published a security bulletin detailing the vulnerability and associated patches: https://docs.qualcomm.com/product/publicresources/securitybulletin/february-2025-bulletin.html. Security practitioners should apply the recommended updates from the February 2025 bulletin to mitigate the risk.
Details
- CWE(s)