CVE-2024-49838
Published: 03 February 2025
Summary
CVE-2024-49838 is a high-severity Buffer Over-read (CWE-126) vulnerability in Qualcomm Ar8035 Firmware. Its CVSS base score is 8.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 29.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly prevents buffer over-reads by validating invalid lengths in OCI IE inputs during parsing.
Requires timely patching of the specific Qualcomm parsing flaw as documented in the vendor security bulletin.
Provides memory protections that mitigate information disclosure from out-of-bounds reads in vulnerable components.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote network parsing flaw enables unauthenticated exploitation of public-facing Qualcomm components for info disclosure.
NVD Description
Information disclosure while parsing the OCI IE with invalid length.
Deeper analysisAI
CVE-2024-49838 is an information disclosure vulnerability that arises while parsing the OCI IE with an invalid length, associated with CWE-126 (Buffer Over-read) and CWE-125 (Out-of-bounds Read). It carries a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L), indicating high severity due to significant confidentiality impact. The vulnerability affects components documented in Qualcomm's security advisories.
A remote, unauthenticated attacker can exploit this vulnerability over the network with low attack complexity and no user interaction required. By sending a specially crafted input with an invalid length in the OCI IE, the attacker can trigger the parsing flaw, resulting in disclosure of sensitive information (high confidentiality impact) alongside a low availability impact from potential denial of service.
Qualcomm's February 2025 security bulletin, available at https://docs.qualcomm.com/product/publicresources/securitybulletin/february-2025-bulletin.html, addresses this CVE with details on affected products and recommended mitigations or patches.
Details
- CWE(s)