CVE-2024-53031
Published: 03 March 2025
Summary
CVE-2024-53031 is a high-severity Improper Input Validation (CWE-20) vulnerability in Qualcomm Qam8255P Firmware. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 29.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly enforces proper validation of untrusted inputs from guest VM buffers to prevent memory corruption due to improper input validation (CWE-20).
Implements memory protection mechanisms that mitigate out-of-bounds writes (CWE-787) and memory corruption in the host triggered by guest-controlled buffers.
Ensures timely remediation of the specific Qualcomm memory corruption flaw through patching as detailed in the security bulletin.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Memory corruption in host context from guest-controlled buffer directly enables local privilege escalation and arbitrary code execution (T1068).
NVD Description
Memory corruption while reading a type value from a buffer controlled by the Guest Virtual Machine.
Deeper analysisAI
CVE-2024-53031 is a memory corruption vulnerability (CWE-20: Improper Input Validation; CWE-787: Out-of-bounds Write) that occurs while reading a type value from a buffer controlled by the Guest Virtual Machine. Published on 2025-03-03, it carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and affects components in Qualcomm products, as referenced in their security bulletin.
The vulnerability can be exploited by a local attacker who has low privileges (PR:L) on the affected system, requiring low complexity (AC:L) and no user interaction (UI:N). With control over the Guest Virtual Machine's buffer, the attacker can trigger memory corruption in the host context, achieving high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H) within the unchanged security scope (S:U), potentially enabling privilege escalation or arbitrary code execution.
Qualcomm's March 2025 security bulletin at https://docs.qualcomm.com/product/publicresources/securitybulletin/march-2025-bulletin.html details affected products, patch availability, and mitigation guidance for this vulnerability.
Details
- CWE(s)