Use-after-free in Qualcomm products - CVE-2021-35115
Published: March 7, 2022
Vulnerability identifier: #VU61075
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2021-35115
CWE-ID: CWE-416
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Qualcomm
Affected software:
APQ8096AU
MSM8996AU
QCA6574AU
SA6155P
SA8540P
SA9000P
SDX55
AR6003
MDM8215
MDM8215M
MDM8615M
MDM9215
MDM9310
MDM9615
MDM9615M
QCA6564A
QCA6564AU
QCA6574A
QCA6584AU
QCA6696
SA6145P
SA6150P
SA8145P
SA8150P
SA8155P
SA8195P
SDX55M
WCD9341
APQ8096AU
MSM8996AU
QCA6574AU
SA6155P
SA8540P
SA9000P
SDX55
AR6003
MDM8215
MDM8215M
MDM8615M
MDM9215
MDM9310
MDM9615
MDM9615M
QCA6564A
QCA6564AU
QCA6574A
QCA6584AU
QCA6696
SA6145P
SA6150P
SA8145P
SA8150P
SA8155P
SA8195P
SDX55M
WCD9341
Detailed vulnerability description
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error in Automotive Multimedia when handling multiple session supported by PVM backend. A remote attacker can pass specially crafted data to the system and execute arbitrary code.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
How to mitigate CVE-2021-35115
Install updates from vendor's website.