SB2023050129 - Multiple vulnerabilities in Qualcomm chipsets

Main Vulnerability Database SB2023050129

SB2023050129 - Multiple vulnerabilities in Qualcomm chipsets

Published: May 1, 2023

Security Bulletin ID SB2023050129

Severity

High

Patch available

YES

Number of vulnerabilities 13

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 13 secuirty vulnerabilities.

1) Type conversion (CVE-ID: CVE-2023-21665)

The vulnerability allows a local application to execute arbitrary code.

The vulnerability exists due to improper input validation in Graphics. A local application can execute arbitrary code.

2) Memory leak (CVE-ID: CVE-2023-21666)

The vulnerability allows a local application to execute arbitrary code.

The vulnerability exists due to improper input validation in Graphics. A local application can execute arbitrary code.

3) Improper Validation of Array Index (CVE-ID: CVE-2022-33281)

The vulnerability allows a local privileged application to execute arbitrary code.

The vulnerability exists due to improper input validation in computer vision.. A local privileged application can execute arbitrary code.

4) Memory corruption (CVE-ID: CVE-2022-25713)

The vulnerability allows a local application to execute arbitrary code.

The vulnerability exists due to improper input validation in Automotive. A local application can execute arbitrary code.

5) Buffer over-read (CVE-ID: CVE-2022-33273)

The vulnerability allows a local application to read and manipulate data.

The vulnerability exists due to improper input validation in Trusted Execution Environment. A local application can read and manipulate data.

6) NULL Pointer Dereference (CVE-ID: CVE-2022-33304)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation in Modem. A remote attacker can perform a denial of service (DoS) attack.

7) NULL Pointer Dereference (CVE-ID: CVE-2022-33305)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation in Modem. A remote attacker can perform a denial of service (DoS) attack.

8) Reachable Assertion (CVE-ID: CVE-2022-34144)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation in Modem. A remote attacker can perform a denial of service (DoS) attack.

9) Reachable Assertion (CVE-ID: CVE-2022-40504)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation in Modem. A remote attacker can perform a denial of service (DoS) attack.

10) Buffer over-read (CVE-ID: CVE-2022-40505)

The vulnerability allows a remote attacker to read and manipulate data.

The vulnerability exists due to improper input validation in Modem. A remote attacker can read and manipulate data.

11) Reachable Assertion (CVE-ID: CVE-2022-40508)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation in Modem. A remote attacker can perform a denial of service (DoS) attack.

12) Improper Access Control (CVE-ID: CVE-2023-21642)

The vulnerability allows a local application to execute arbitrary code.

The vulnerability exists due to improper input validation in HAB Memory Management. A local application can execute arbitrary code.

13) Use After Free (CVE-ID: CVE-2022-33292)

The vulnerability allows a local application to execute arbitrary code.

The vulnerability exists due to improper input validation in Qualcomm IPC. A local application can execute arbitrary code.

Remediation

Install update from vendor's website.

References

https://docs.qualcomm.com/product/publicresources/securitybulletin/may-2023-bulletin.html