#VU51656 Use of Out-of-range Pointer Offset in Qualcomm products - CVE-2020-11256
Published: March 23, 2021
Vulnerability identifier: #VU51656
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2020-11256
CWE-ID: CWE-823
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vulnerable software:
AR7420
AR9580
CSR8811
IPQ4018
IPQ4028
IPQ4029
QCA10901
QCA4024
QCA7500
QCA7520
QCA7550
QCA8075
QCA9880
QCA9886
QCA9888
QCA9889
QCA9898
QCA9984
QCA9992
QCA9994
QCN3018
QFE1922
QFE1952
WCD9340
WSA8810
IPQ4019
AR7420
AR9580
CSR8811
IPQ4018
IPQ4028
IPQ4029
QCA10901
QCA4024
QCA7500
QCA7520
QCA7550
QCA8075
QCA9880
QCA9886
QCA9888
QCA9889
QCA9898
QCA9984
QCA9992
QCA9994
QCN3018
QFE1922
QFE1952
WCD9340
WSA8810
IPQ4019
Software vendor:
Qualcomm
Qualcomm
Description
The vulnerability allows a local user to escalate privileges on the system
The vulnerability exists due to a boundary error in WIN TZ FW, when processing a pointer to buffer in trustzone. A local user can run a specially crafted program to trigger an out-of-bound pointer offset and execute arbitrary code on the system with elevated privileges.
Remediation
Install updates from vendor's website.