#VU56341 Improper Validation of Array Index in Qualcomm products - CVE-2021-1933

Vulnerability identifier: #VU56341

Vulnerability risk: High

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: CVE-2021-1933

CWE-ID: CWE-129

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
APQ8017
APQ8053
MSM8917
MSM8920
MSM8940
MSM8953
QCA6174A
QCA6574AU
QCA9377
QCS605
SD636
SD675
SD450
SD665
SD670
SD712
SD730
SD845
SD850
SD855
SDM429W
SDM630
SDX24
SDX55
AQT1000
CSRB31024
QCA6310
QCA6335
QCA6390
QCA6420
QCA6430
QCA6564AU
QCA6574A
QCA6584AU
QCA6595AU
QCA6696
QCM4290
QCM6125
QCS410
QCS4290
QCS603
QCS610
QCS6125
Qualcomm215
SA415M
SA8155
SA8155P
SC8180X+SDX55
SD455
SD8C
SD8CX
SD429
SD632
SD678
SD720G
SDA429W
SDX50M
SDX55M
SDXR1
SM6250
SM6250P
WCD9340
WCD9360
WCD9370
WCD9371
WCD9375
WCD9380
WCN3610
WCN3620
WCN3660
WCN3660B
WCN3680
WCN3910
WCN3950
WCN3988
WCN3991
WCN3998
WCN6850
WHS9410
WSA8815

Software vendor:
Qualcomm

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to improper validation of invite message with SDP body within the Data Modem component. A remote attacker can send specially crafted data to the system, trigger memory corruption and execute arbitrary code on the system.

Install updates from vendor's website.

• https://www.qualcomm.com/company/product-security/bulletins/september-2021-bulletin