Chipmaker Qualcomm has launched extra details about three high-severity safety flaws that it stated got here beneath “restricted, focused exploitation” again in October 2023.
The vulnerabilities are as follows –
- CVE-2023-33063 (CVSS rating: 7.8) – Reminiscence corruption in DSP Companies throughout a distant name from HLOS to DSP.
- CVE-2023-33106 (CVSS rating: 8.4) – Reminiscence corruption in Graphics whereas submitting a big checklist of sync factors in an AUX command to the IOCTL_KGSL_GPU_AUX_COMMAND.
- CVE-2023-33107 (CVSS rating: 8.4) – Reminiscence corruption in Graphics Linux whereas assigning shared digital reminiscence area throughout IOCTL name.
Google’s Menace Evaluation Group and Google Mission Zero revealed again in October 2023 that the three flaws, together with CVE-2022-22071 (CVSS rating: 8.4), have been exploited within the wild as a part of restricted, focused assaults.
A safety researcher named luckyrb, the Google Android Safety group, and TAG researcher Benoît Sevens and Jann Horn of Google Mission Zero have been credited with reporting the safety vulnerabilities, respectively.
It is presently not recognized how these shortcomings have been weaponized, and who’re behind the assaults.
The event, nevertheless, has prompted the U.S. Cybersecurity and Infrastructure Safety Company (CISA) to add the 4 bugs to its Recognized Exploited Vulnerabilities (KEV) catalog, urging federal companies to use the patches by December 26, 2023.
It additionally follows Google’s announcement that the December 2023 safety updates for Android handle 85 flaws, together with a essential situation within the System element tracked as CVE-2023-40088 that “may result in distant (proximal/adjoining) code execution with no extra execution privileges wanted” and with none consumer interplay.