Vulnerability identifier: #VU52822
Vulnerability risk: Low
CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-190
Exploitation vector: Local
Exploit availability: No
Vulnerable software:
APQ8009
Hardware solutions /
Firmware
APQ8053
Hardware solutions /
Firmware
MDM9206
Hardware solutions /
Firmware
QCA9377
Hardware solutions /
Firmware
PM215
Mobile applications /
Mobile firmware & hardware
PM8909
Mobile applications /
Mobile firmware & hardware
PM8916
Mobile applications /
Mobile firmware & hardware
PM8953
Mobile applications /
Mobile firmware & hardware
PMD9607
Mobile applications /
Mobile firmware & hardware
PMI8952
Mobile applications /
Mobile firmware & hardware
QCA9367
Mobile applications /
Mobile firmware & hardware
Qualcomm215
Mobile applications /
Mobile firmware & hardware
SMB1358
Mobile applications /
Mobile firmware & hardware
SMB1360
Mobile applications /
Mobile firmware & hardware
SMB231
Mobile applications /
Mobile firmware & hardware
WCD9326
Mobile applications /
Mobile firmware & hardware
WCD9330
Mobile applications /
Mobile firmware & hardware
WCN3615
Mobile applications /
Mobile firmware & hardware
WCN3660B
Mobile applications /
Mobile firmware & hardware
WCN3680
Mobile applications /
Mobile firmware & hardware
WCN3680B
Mobile applications /
Mobile firmware & hardware
WSA8810
Mobile applications /
Mobile firmware & hardware
WSA8815
Mobile applications /
Mobile firmware & hardware
WTR2965
Mobile applications /
Mobile firmware & hardware
Vendor: Qualcomm
Description
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to integer overflow during system boot when flushing an image. A local user can execute arbitrary code with elevated privileges.
Mitigation
Install updates from vendor's website.
Vulnerable software versions
APQ8009: All versions
APQ8053: All versions
MDM9206: All versions
PM215: All versions
PM8909: All versions
PM8916: All versions
PM8953: All versions
PMD9607: All versions
PMI8952: All versions
QCA9367: All versions
QCA9377: All versions
Qualcomm215: All versions
SMB1358: All versions
SMB1360: All versions
SMB231: All versions
WCD9326: All versions
WCD9330: All versions
WCN3615: All versions
WCN3660B: All versions
WCN3680: All versions
WCN3680B: All versions
WSA8810: All versions
WSA8815: All versions
WTR2965: All versions
External links
http://www.qualcomm.com/company/product-security/bulletins/may-2021-bulletin
http://source.codeaurora.org/quic/le/kernel/lk/commit/?id=6dcf0c38be38b659405a618e2066c7abd218ef21
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.