Cyber Resilience

CVE-2024-49836

High

Published: 03 March 2025

Published
03 March 2025
Modified
06 March 2025
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0011 29.3th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-49836 is a high-severity Improper Validation of Array Index (CWE-129) vulnerability in Qualcomm Fastconnect 6900 Firmware. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 29.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Deeper analysis

CVE-2024-49836 is a memory corruption vulnerability that may occur during the synchronization of a camera's frame processing pipeline. It affects Qualcomm components, as detailed in their security bulletin, and is classified under CWE-129 (Improper Validation of Array Index). The vulnerability carries a CVSS v3.1 base score of 7.8, reflecting high severity due to its potential for significant impact.

A local attacker with low privileges can exploit this issue with low attack complexity and no user interaction required. Successful exploitation enables high confidentiality, integrity, and availability impacts, potentially allowing arbitrary code execution or system compromise through memory corruption in the camera pipeline.

Qualcomm's March 2025 security bulletin (https://docs.qualcomm.com/product/publicresources/securitybulletin/march-2025-bulletin.html) provides details on affected products and recommended mitigations or patches. Security practitioners should consult the advisory for specific remediation steps.

EU & UK References

Vulnerability details

Memory corruption may occur during the synchronization of the camera`s frame processing pipeline.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Local memory corruption vulnerability enabling arbitrary code execution from low privileges, directly mapping to exploitation for privilege escalation.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-49832Same product: Qualcomm Fastconnect 6900
CVE-2024-45582Same product: Qualcomm Fastconnect 6900
CVE-2024-49843Same product: Qualcomm Fastconnect 7800
CVE-2024-45580Same product: Qualcomm Fastconnect 6900
CVE-2026-25276Same product: Qualcomm Fastconnect 6900
CVE-2024-49833Same product: Qualcomm Fastconnect 6900
CVE-2024-45550Same product: Qualcomm Fastconnect 6900
CVE-2024-49834Same product: Qualcomm Fastconnect 6900
CVE-2024-53014Same product: Qualcomm Fastconnect 6900
CVE-2024-49837Same vendor: Qualcomm

Affected Assets

qualcomm
fastconnect 6900 firmware
all versions
qualcomm
fastconnect 7800 firmware
all versions
qualcomm
qmp1000 firmware
all versions
qualcomm
sdm429w firmware
all versions
qualcomm
sm8735 firmware
all versions
qualcomm
sm8750 firmware
all versions
qualcomm
sm8750p firmware
all versions
qualcomm
snapdragon 429 firmware
all versions
qualcomm
snapdragon 8 gen 3 firmware
all versions
qualcomm
sxr2230p firmware
all versions
+19 more product configuration(s) — see NVD for full list

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses the root cause of CWE-129 improper validation of array index during camera frame processing synchronization to prevent memory corruption.

prevent

Implements memory protections such as address space randomization and non-executable memory to mitigate exploitation of memory corruption in the camera pipeline.

prevent

Requires timely application of Qualcomm patches to remediate the specific memory corruption flaw in affected components.

References