Integer overflow in Qualcomm Mobile applications

#VU52822 Integer overflow in Qualcomm Mobile applications

Published: 2021-05-03

Vulnerability identifier: #VU52822

Vulnerability risk: Low

CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-1895

CWE-ID: CWE-190

Exploitation vector: Local

Exploit availability: No

Vendor: Qualcomm

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to integer overflow during system boot when flushing an image. A local user can execute arbitrary code with elevated privileges.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

APQ8009: All versions

APQ8053: All versions

MDM9206: All versions

PM215: All versions

PM8909: All versions

PM8916: All versions

PM8953: All versions

PMD9607: All versions

PMI8952: All versions

QCA9367: All versions

QCA9377: All versions

Qualcomm215: All versions

SMB1358: All versions

SMB1360: All versions

SMB231: All versions

WCD9326: All versions

WCD9330: All versions

WCN3615: All versions

WCN3660B: All versions

WCN3680: All versions

WCN3680B: All versions

WSA8810: All versions

WSA8815: All versions

WTR2965: All versions

External links
http://www.qualcomm.com/company/product-security/bulletins/may-2021-bulletin
http://source.codeaurora.org/quic/le/kernel/lk/commit/?id=6dcf0c38be38b659405a618e2066c7abd218ef21

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in Qualcomm chipsets