Use-after-free in Qualcomm Mobile applications

#VU61075 Use-after-free in Qualcomm Mobile applications

Published: 2022-03-07

Vulnerability identifier: #VU61075

Vulnerability risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-35115

CWE-ID: CWE-416

Exploitation vector: Network

Exploit availability: No

Vendor: Qualcomm

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error in Automotive Multimedia when handling multiple session supported by PVM backend. A remote attacker can pass specially crafted data to the system and execute arbitrary code.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

APQ8096AU: All versions

AR6003: All versions

MDM8215: All versions

MDM8215M: All versions

MDM8615M: All versions

MDM9215: All versions

MDM9310: All versions

MDM9615: All versions

MDM9615M: All versions

MSM8996AU: All versions

QCA6564A: All versions

QCA6564AU: All versions

QCA6574A: All versions

QCA6574AU: All versions

QCA6584AU: All versions

QCA6696: All versions

SA6145P: All versions

SA6150P: All versions

SA6155P: All versions

SA8145P: All versions

SA8150P: All versions

SA8155P: All versions

SA8195P: All versions

SA8540P: All versions

SA9000P: All versions

SDX55: All versions

SDX55M: All versions

WCD9341: All versions

External links
http://www.qualcomm.com/company/product-security/bulletins/march-2022-bulletin

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in Qualcomm chipsets