#VU71951 Buffer over-read in Qualcomm products - CVE-2022-33229


Vulnerability identifier: #VU71951

Vulnerability risk: High

CVSSv4.0: 6.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2022-33229

CWE-ID: CWE-126

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
AR8031
Mobile applications / Mobile firmware & hardware
CSRA6620
Mobile applications / Mobile firmware & hardware
CSRA6640
Mobile applications / Mobile firmware & hardware
MDM8207
Mobile applications / Mobile firmware & hardware
MDM9205
Mobile applications / Mobile firmware & hardware
MDM9207
Mobile applications / Mobile firmware & hardware
QCA4004
Mobile applications / Mobile firmware & hardware
QCA4010
Mobile applications / Mobile firmware & hardware
QCA4020
Mobile applications / Mobile firmware & hardware
QCA4024
Mobile applications / Mobile firmware & hardware
QTS110
Mobile applications / Mobile firmware & hardware
WCD9306
Mobile applications / Mobile firmware & hardware
WCD9330
Mobile applications / Mobile firmware & hardware
WCD9335
Mobile applications / Mobile firmware & hardware
WCN3980
Mobile applications / Mobile firmware & hardware
WCN3999
Mobile applications / Mobile firmware & hardware
WSA8810
Mobile applications / Mobile firmware & hardware
WSA8815
Mobile applications / Mobile firmware & hardware
MDM9206
Hardware solutions / Firmware
MDM9607
Hardware solutions / Firmware
QCS405
Hardware solutions / Firmware

Vendor: Qualcomm

Description

The vulnerability allows a remote attacker to read and manipulate data.

The vulnerability exists due to improper input validation in Modem. A remote attacker can read and manipulate data.

Mitigation
Install security update from vendor's website.

Vulnerable software versions

AR8031: All versions

CSRA6620: All versions

CSRA6640: All versions

MDM8207: All versions

MDM9205: All versions

MDM9206: All versions

MDM9207: All versions

MDM9607: All versions

QCA4004: All versions

QCA4010: All versions

QCA4020: All versions

QCA4024: All versions

QCS405: All versions

QTS110: All versions

WCD9306: All versions

WCD9330: All versions

WCD9335: All versions

WCN3980: All versions

WCN3999: All versions

WSA8810: All versions

WSA8815: All versions

External links
https://docs.qualcomm.com/product/publicresources/securitybulletin/february-2023-bulletin.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Multiple vulnerabilities in Qualcomm chipsets