Chipmaker Qualcomm has launched extra details about three high-severity safety flaws that it stated got here underneath “restricted, focused exploitation” again in October 2023.
The vulnerabilities are as follows –
- CVE-2023-33063 (CVSS rating: 7.8) – Reminiscence corruption in DSP Companies throughout a distant name from HLOS to DSP.
- CVE-2023-33106 (CVSS rating: 8.4) – Reminiscence corruption in Graphics whereas submitting a big checklist of sync factors in an AUX command to the IOCTL_KGSL_GPU_AUX_COMMAND.
- CVE-2023-33107 (CVSS rating: 8.4) – Reminiscence corruption in Graphics Linux whereas assigning shared digital reminiscence area throughout IOCTL name.
Google’s Menace Evaluation Group and Google Challenge Zero revealed again in October 2023 that the three flaws, together with CVE-2022-22071 (CVSS rating: 8.4), have been exploited within the wild as a part of restricted, focused assaults.
A safety researcher named luckyrb, the Google Android Safety staff, and TAG researcher Benoît Sevens and Jann Horn of Google Challenge Zero have been credited with reporting the safety vulnerabilities, respectively.
It is presently not identified how these shortcomings have been weaponized, and who’re behind the assaults.
The event, nevertheless, has prompted the U.S. Cybersecurity and Infrastructure Safety Company (CISA) to add the 4 bugs to its Recognized Exploited Vulnerabilities (KEV) catalog, urging federal companies to use the patches by December 26, 2023.
It additionally follows Google’s announcement that the December 2023 safety updates for Android handle 85 flaws, together with a essential subject within the System part tracked as CVE-2023-40088 that “might result in distant (proximal/adjoining) code execution with no further execution privileges wanted” and with none person interplay.
