SB2024030430 - Multiple vulnerabilities in Qualcomm chipsets
Published: March 4, 2024 Updated: June 14, 2024
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 22 secuirty vulnerabilities.
1) Missing release of memory after effective lifetime (CVE-ID: CVE-2023-33084)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation in Data Modem. A remote attacker can perform a denial of service (DoS) attack.
2) Integer overflow (CVE-ID: CVE-2023-43550)
The vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation in Core Services. A local application can execute arbitrary code.
3) NULL Pointer Dereference (CVE-ID: CVE-2023-43541)
The vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation in Windows Graphics. A local application can execute arbitrary code.
4) Stack-based buffer overflow (CVE-ID: CVE-2023-43549)
The vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation in WLAN HAL. A local application can execute arbitrary code.
5) Buffer over-read (CVE-ID: CVE-2023-43539)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation in WLAN Firmware. A remote attacker can perform a denial of service (DoS) attack.
6) Improper input validation (CVE-ID: CVE-2023-33104)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation in Multi-Mode Call Processor. A remote attacker can perform a denial of service (DoS) attack.
7) Improper input validation (CVE-ID: CVE-2023-33103)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation in Multi-Mode Call Processor. A remote attacker can perform a denial of service (DoS) attack.
8) Reachable Assertion (CVE-ID: CVE-2023-33096)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation in Multi-Mode Call Processor. A remote attacker can perform a denial of service (DoS) attack.
9) Reachable Assertion (CVE-ID: CVE-2023-33095)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation in Multi-Mode Call Processor. A remote attacker can perform a denial of service (DoS) attack.
10) Missing release of memory after effective lifetime (CVE-ID: CVE-2023-33086)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation in Data Modem. A remote attacker can perform a denial of service (DoS) attack.
11) Buffer overflow (CVE-ID: CVE-2023-28582)
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to improper input validation in Data Modem. A remote attacker can execute arbitrary code.
12) Use of Out-of-range Pointer Offset (CVE-ID: CVE-2023-33066)
The vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation in Audio. A local application can execute arbitrary code.
13) Memory corruption (CVE-ID: CVE-2023-28578)
The vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation in Services. A local application can execute arbitrary code.
14) Buffer over-read (CVE-ID: CVE-2023-33078)
The vulnerability allows a local privileged application to read and manipulate data.
The vulnerability exists due to improper input validation in DSP Services. A local privileged application can read and manipulate data.
15) Buffer overflow (CVE-ID: CVE-2023-43548)
The vulnerability allows a remote attacker to read and manipulate data.
The vulnerability exists due to improper input validation in Video. A remote attacker can read and manipulate data.
16) Use After Free (CVE-ID: CVE-2023-43547)
The vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation in Automotive Multimedia. A local application can execute arbitrary code.
17) Use After Free (CVE-ID: CVE-2023-43546)
The vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation in Automotive Multimedia. A local application can execute arbitrary code.
18) Buffer overflow (CVE-ID: CVE-2023-43540)
The vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation in Bluetooth HOST. A local application can execute arbitrary code.
19) Configuration (CVE-ID: CVE-2023-33105)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation in WLAN Host and Firmware. A remote attacker can perform a denial of service (DoS) attack.
20) Buffer over-read (CVE-ID: CVE-2023-33090)
The vulnerability allows a local application to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation in Audio. A local application can perform a denial of service (DoS) attack.
21) Use of Out-of-range Pointer Offset (CVE-ID: CVE-2023-43553)
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to improper input validation in WLAN HOST. A remote attacker can execute arbitrary code.
22) Use After Free (CVE-ID: CVE-2023-43552)
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to improper input validation in WLAN Host Communication. A remote attacker can execute arbitrary code.
Remediation
Install update from vendor's website.