Use-after-free in Qualcomm Hardware solutions

#VU64045 Use-after-free in Qualcomm Hardware solutions

Published: 2022-06-07

Vulnerability identifier: #VU64045

Vulnerability risk: Low

CVSSv3.1: 7.3 [CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-22090

CWE-ID: CWE-416

Exploitation vector: Local

Exploit availability: No

Vendor: Qualcomm

Description

The vulnerability allows a local attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error while managing buffers from internal cache in Audio. A local attacker can execute arbitrary code on the target system.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

SD 8 Gen1 5G: All versions

SD865 5G: All versions

SD888 5G: All versions

SDX65: All versions

SM7450: All versions

SM8475: All versions

SM8475P: All versions

WCD9370: All versions

WCD9375: All versions

WCD9380: All versions

WCD9385: All versions

WCN6750: All versions

WCN6850: All versions

WCN6851: All versions

WCN6855: All versions

WCN6856: All versions

WCN7850: All versions

WCN7851: All versions

WSA8810: All versions

WSA8815: All versions

WSA8830: All versions

WSA8832: All versions

WSA8835: All versions

External links
http://docs.qualcomm.com/product/publicresources/securitybulletin/june-2022-bulletin.html

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in Google Android

Multiple vulnerabilities in Qualcomm chipsets