Use-after-free in Qualcomm products - CVE-2021-30263

 

Use-after-free in Qualcomm products - CVE-2021-30263

Published: November 3, 2021


Vulnerability identifier: #VU57908
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2021-30263
CWE-ID: CWE-416
Exploitation vector: Local access
Exploit availability: No public exploit available
Vendor: Qualcomm
Affected software:
AQT1000
AR8031
AR8035
CSRA6620
CSRA6640
QCA6391
QCA6420
QCA6430
QCA8337
QCM6125
QCS6125
SD 8C
SD 8CX
SDX55M
WCD9335
WCD9340
WCD9341
WCD9370
WCN3950
WCN3980
WCN3998
WCN3999
WSA8810
WSA8815
QCS405
SD855
SDX55

Detailed vulnerability description

The vulnerability allows a local user to compromise vulnerable system.

The vulnerability exists due to lack of synchronization mechanism when On-Device Logging node open twice concurrently. A local administrator can trigger use-after-free error and execute arbitrary code on the target system.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.


How to mitigate CVE-2021-30263

Install updates from vendor's website.

Sources