CVE-2024-53028
Published: 03 March 2025
Summary
CVE-2024-53028 is a high-severity Time-of-check Time-of-use (TOCTOU) Race Condition (CWE-367) vulnerability in Qualcomm Qam8255P Firmware. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 24.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-16 (Memory Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Mandates timely identification, reporting, prioritization, and correction of flaws like this memory corruption vulnerability through vendor patches from Qualcomm's security bulletin.
Implements runtime memory protections such as address space layout randomization, data execution prevention, and stack guards to block exploitation of memory corruption during frontend message allocation processing.
Requires vulnerability scanning to identify affected Qualcomm components vulnerable to CVE-2024-53028, enabling proactive detection and remediation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local memory corruption (TOCTOU race in allocation) directly enables exploitation by low-privileged attackers for privilege escalation with high C/I/A impact.
NVD Description
Memory corruption may occur while processing message from frontend during allocation.
Deeper analysisAI
CVE-2024-53028 is a memory corruption vulnerability that may occur while processing a message from the frontend during allocation, associated with CWE-367 (Time-of-check Time-of-use (TOCTOU) Race Condition for Allocate/Deallocate). It carries a CVSS v3.1 base score of 7.8 (High), with vector AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The vulnerability affects components in Qualcomm products, as documented in their security advisories.
A local attacker with low privileges can exploit this vulnerability with low complexity and no user interaction required. Successful exploitation enables high-impact consequences, including unauthorized disclosure of sensitive information, modification of data or system integrity, and denial of service through availability disruption.
Qualcomm's March 2025 security bulletin at https://docs.qualcomm.com/product/publicresources/securitybulletin/march-2025-bulletin.html provides details on affected products and recommended mitigations or patches. Security practitioners should consult this advisory for specific remediation steps tailored to impacted devices.
Details
- CWE(s)