CVE-2024-49843
Published: 03 February 2025
Summary
CVE-2024-49843 is a high-severity Improper Validation of Array Index (CWE-129) vulnerability in Qualcomm Fastconnect 6200 Firmware. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 29.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses the improper validation of array index in IOCTL parameters from user space, preventing memory corruption.
Implements memory protections that mitigate unauthorized memory access and code execution resulting from the array index out-of-bounds vulnerability.
Ensures timely identification, reporting, and patching of the specific memory corruption flaw as recommended in the vendor bulletin.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local memory corruption in kernel driver (IOCTL) directly enables privilege escalation via crafted input leading to arbitrary code execution.
NVD Description
Memory corruption while processing IOCTL from user space to handle GPU AHB bus error.
Deeper analysisAI
CVE-2024-49843 is a memory corruption vulnerability stemming from improper validation of array index (CWE-129) during the processing of IOCTL calls from user space intended to handle GPU AHB bus errors. It affects Qualcomm components, as detailed in the vendor's security bulletin.
The vulnerability carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating exploitation requires local access with low privileges and low complexity, with no user interaction needed. A malicious local user could send a crafted IOCTL request, triggering memory corruption that enables high-impact compromise of confidentiality, integrity, and availability, such as arbitrary code execution or system crashes.
Qualcomm's February 2025 security bulletin at https://docs.qualcomm.com/product/publicresources/securitybulletin/february-2025-bulletin.html outlines affected products and recommends applying vendor-provided patches for mitigation.
Details
- CWE(s)