Buffer over-read in Qualcomm Hardware solutions

#VU71897 Buffer over-read in Qualcomm Hardware solutions

Published: 2023-02-06

Vulnerability identifier: #VU71897

Vulnerability risk: Low

CVSSv3.1: 6.4 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-11266

CWE-ID: CWE-126

Exploitation vector: Local

Exploit availability: No

Vendor: Qualcomm

Description

The vulnerability allows a local application to read and manipulate data.

The vulnerability exists due to improper input validation in Trustzone. A local application can read and manipulate data.

Mitigation
Install security update from vendor's website.

Vulnerable software versions

AR7420: All versions

AR9580: All versions

CSR8811: All versions

IPQ4018: All versions

IPQ4019: All versions

IPQ4028: All versions

IPQ4029: All versions

QCA10901: All versions

QCA4024: All versions

QCA7500: All versions

QCA7520: All versions

QCA7550: All versions

QCA8075: All versions

QCA9880: All versions

QCA9886: All versions

QCA9888: All versions

QCA9889: All versions

QCA9898: All versions

QCA9984: All versions

QCA9992: All versions

QCA9994: All versions

QCN3018: All versions

QFE1922: All versions

QFE1952: All versions

WCD9340: All versions

WSA8810: All versions

External links
http://www.qualcomm.com/company/product-security/bulletins/january-2021-bulletin

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in Qualcomm chipsets