CVE-2024-49836
Published: 03 March 2025
Summary
CVE-2024-49836 is a high-severity Improper Validation of Array Index (CWE-129) vulnerability in Qualcomm Fastconnect 6900 Firmware. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 35.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses the root cause of CWE-129 improper validation of array index during camera frame processing synchronization to prevent memory corruption.
Implements memory protections such as address space randomization and non-executable memory to mitigate exploitation of memory corruption in the camera pipeline.
Requires timely application of Qualcomm patches to remediate the specific memory corruption flaw in affected components.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local memory corruption vulnerability enabling arbitrary code execution from low privileges, directly mapping to exploitation for privilege escalation.
NVD Description
Memory corruption may occur during the synchronization of the camera`s frame processing pipeline.
Deeper analysisAI
CVE-2024-49836 is a memory corruption vulnerability that may occur during the synchronization of a camera's frame processing pipeline. It affects Qualcomm components, as detailed in their security bulletin, and is classified under CWE-129 (Improper Validation of Array Index). The vulnerability carries a CVSS v3.1 base score of 7.8, reflecting high severity due to its potential for significant impact.
A local attacker with low privileges can exploit this issue with low attack complexity and no user interaction required. Successful exploitation enables high confidentiality, integrity, and availability impacts, potentially allowing arbitrary code execution or system compromise through memory corruption in the camera pipeline.
Qualcomm's March 2025 security bulletin (https://docs.qualcomm.com/product/publicresources/securitybulletin/march-2025-bulletin.html) provides details on affected products and recommended mitigations or patches. Security practitioners should consult the advisory for specific remediation steps.
Details
- CWE(s)