Chipmaker Qualcomm has launched safety updates to handle 17 vulnerabilities in numerous elements, whereas warning that three different zero-days have come below lively exploitation.
Of the 17 flaws, three are rated Essential, 13 are rated Excessive, and one is rated Medium in severity.
“There are indications from Google Risk Evaluation Group and Google Undertaking Zero that CVE-2023-33106, CVE-2023-33107, CVE-2022-22071, and CVE-2023-33063 could also be below restricted, focused exploitation,” the semiconductor firm stated in an advisory.
“Patches for the problems affecting Adreno GPU and Compute DSP drivers have been made obtainable, and OEMs have been notified with a robust suggestion to deploy safety updates as quickly as potential.”
CVE-2022-22071 (CVSS rating: 8.4), described as a use-after-free in Automotive OS Platform, was initially patched by the corporate as a part of its Might 2022 updates.
Whereas further specifics in regards to the remaining different flaws are anticipated to be made public in December 2023, the disclosure comes the identical day Arm shipped patches for a safety flaw within the Mali GPU Kernel Driver (CVE-2023-4211) that has additionally come below restricted, focused exploitation.
Qualcomm’s October 2023 updates additionally handle three important points, though there isn’t any proof that they’ve been abused within the wild –
- CVE-2023-24855 (CVSS rating: 9.8) – Reminiscence corruption in Modem whereas processing safety associated configuration earlier than AS Safety Alternate.
- CVE-2023-28540 (CVSS rating: 9.1) – Cryptographic challenge in Information Modem attributable to improper authentication throughout TLS handshake.
- CVE-2023-33028 (CVSS rating: 9.8) – Reminiscence corruption in WLAN Firmware whereas doing a reminiscence copy of pmk cache.
Customers are suggested to use updates from authentic gear producers (OEMs) as quickly as they change into obtainable.
