#1 Trusted Cybersecurity News Platform
Followed by 5.20+ million
The Hacker News Logo
Subscribe – Get Latest News

Qualcomm | Breaking Cybersecurity News | The Hacker News

Category — Qualcomm
Qualcomm Urges OEMs to Patch Critical DSP and WLAN Flaws Amid Active Exploits

Qualcomm Urges OEMs to Patch Critical DSP and WLAN Flaws Amid Active Exploits

Oct 08, 2024 Mobile Security / Privacy
Qualcomm has rolled out security updates to address nearly two dozen flaws spanning proprietary and open-source components, including one that has come under active exploitation in the wild. The high-severity vulnerability, tracked as CVE-2024-43047 (CVSS score: 7.8), has been described as a user-after-free bug in the Digital Signal Processor (DSP) Service that could lead to "memory corruption while maintaining memory maps of HLOS memory." Qualcomm credited Google Project Zero researcher Seth Jenkins and Conghui Wang for reporting the flaw, and Amnesty International Security Lab for confirming in-the-wild activity. "There are indications from Google Threat Analysis Group that CVE-2024-43047 may be under limited, targeted exploitation," the chipmaker said in an advisory. "Patches for the issue affecting FASTRPC driver have been made available to OEMs together with a strong recommendation to deploy the update on affected devices as soon as possible." ...
Google Warns of Pixel Firmware Security Flaw Exploited as Zero-Day

Google Warns of Pixel Firmware Security Flaw Exploited as Zero-Day

Jun 13, 2024 Mobile Security / Vulnerability
Google has warned that a security flaw impacting Pixel Firmware has been exploited in the wild as a zero-day. The high-severity vulnerability, tagged as CVE-2024-32896 , has been described as an elevation of privilege issue in Pixel Firmware. The company did not share any additional details related to the nature of attacks exploiting it, but noted "there are indications that CVE-2024-32896 may be under limited, targeted exploitation." The June 2024 security update addresses a total of 50 security vulnerabilities, five of which relate to various components in Qualcomm chipsets. Some of the notable issues patched include denial-of-service (DoS) issue impacting Modem, and numerous information disclosure flaws affecting GsmSs, ACPM, and Trusty.  The updates are available for supported Pixel devices , such as Pixel 5a with 5G, Pixel 6a, Pixel 6, Pixel 6 Pro, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel 8, Pixel 8 Pro, Pixel 8a, and Pixel Fold. Earlier this April, Google resolved...
Want to Grow Vulnerability Management into Exposure Management? Start Here!

Want to Grow Vulnerability Management into Exposure Management? Start Here!

Dec 05, 2024Attack Surface / Exposure Management
Vulnerability Management (VM) has long been a cornerstone of organizational cybersecurity. Nearly as old as the discipline of cybersecurity itself, it aims to help organizations identify and address potential security issues before they become serious problems. Yet, in recent years, the limitations of this approach have become increasingly evident.  At its core, Vulnerability Management processes remain essential for identifying and addressing weaknesses. But as time marches on and attack avenues evolve, this approach is beginning to show its age. In a recent report, How to Grow Vulnerability Management into Exposure Management (Gartner, How to Grow Vulnerability Management Into Exposure Management, 8 November 2024, Mitchell Schneider Et Al.), we believe Gartner® addresses this point precisely and demonstrates how organizations can – and must – shift from a vulnerability-centric strategy to a broader Exposure Management (EM) framework. We feel it's more than a worthwhile read an...
New 5G Modem Flaws Affect iOS Devices and Android Models from Major Brands

New 5G Modem Flaws Affect iOS Devices and Android Models from Major Brands

Dec 08, 2023 Vulnerability / Mobile Network
A collection of security flaws in the firmware implementation of 5G mobile network modems from major chipset vendors such as MediaTek and Qualcomm impact USB and IoT modems as well as hundreds of smartphone models running Android and iOS. Of the 14 flaws – collectively called  5Ghoul  (a combination of "5G" and "Ghoul") – 10 affect 5G modems from the two companies, out of which three have been classified as high-severity vulnerabilities. "5Ghoul vulnerabilities may be exploited to continuously launch attacks to drop the connections, freeze the connection that involve manual reboot or downgrade the 5G connectivity to 4G," the researchers  said  in a study published today. As many as 714 smartphones from 24 brands are impacted, including those from Vivo, Xiaomi, OPPO, Samsung, Honor, Motorola, realme, OnePlus, Huawei, ZTE, Asus, Sony, Meizu, Nokia, Apple, and Google. The vulnerabilities were disclosed by a team of researchers from the ASSET (Automated ...
cyber security

Breaking Barriers: Strategies to Unite AppSec and R&D for Success

websiteBackslashApplication Security
Tackle common challenges to make security and innovation work seamlessly.
Qualcomm Releases Details on Chip Vulnerabilities Exploited in Targeted Attacks

Qualcomm Releases Details on Chip Vulnerabilities Exploited in Targeted Attacks

Dec 06, 2023 Vulnerability / Mobile Security
Chipmaker Qualcomm has released more information about three high-severity security flaws that it said came under "limited, targeted exploitation" back in October 2023. The  vulnerabilities  are as follows - CVE-2023-33063  (CVSS score: 7.8) - Memory corruption in DSP Services during a remote call from HLOS to DSP. CVE-2023-33106  (CVSS score: 8.4) - Memory corruption in Graphics while submitting a large list of sync points in an AUX command to the IOCTL_KGSL_GPU_AUX_COMMAND. CVE-2023-33107  (CVSS score: 8.4) - Memory corruption in Graphics Linux while assigning shared virtual memory region during IOCTL call. Google's Threat Analysis Group and Google Project Zero  revealed  back in October 2023 that the three flaws, along with  CVE-2022-22071  (CVSS score: 8.4), have been exploited in the wild as part of limited, targeted attacks. A security researcher named luckyrb, the Google Android Security team, and TAG researcher BenoĆ®t Sevens...
Qualcomm Releases Patch for 3 new Zero-Days Under Active Exploitation

Qualcomm Releases Patch for 3 new Zero-Days Under Active Exploitation

Oct 03, 2023 Zero Day / Vulnerability
Chipmaker Qualcomm has released security updates to address 17 vulnerabilities in various components, while warning that three other zero-days have come under active exploitation. Of the 17 flaws, three are rated Critical, 13 are rated High, and one is rated Medium in severity. "There are indications from Google Threat Analysis Group and Google Project Zero that CVE-2023-33106, CVE-2023-33107, CVE-2022-22071, and CVE-2023-33063 may be under limited, targeted exploitation," the semiconductor company  said  in an advisory. "Patches for the issues affecting Adreno GPU and Compute DSP drivers have been made available, and OEMs have been notified with a strong recommendation to deploy security updates as soon as possible." CVE-2022-22071  (CVSS score: 8.4), described as a use-after-free in Automotive OS Platform, was originally patched by the company as part of its May 2022 updates. While additional specifics about the remaining three flaws are expected to be made...
Qualcomm Chipsets and Lenovo BIOS Get Security Updates to Fix Multiple Flaws

Qualcomm Chipsets and Lenovo BIOS Get Security Updates to Fix Multiple Flaws

Jan 04, 2023 Firmware Security
Qualcomm on Tuesday  released patches  to address multiple security flaws in its chipsets, some of which could be exploited to cause information disclosure and memory corruption. The five vulnerabilities -- tracked from CVE-2022-40516 through CVE-2022-40520 -- also impact Lenovo ThinkPad X13s laptops, prompting the Chinese PC maker to issue BIOS updates to plug the security holes. The list of flaws is as follows - CVE-2022-40516, CVE-2022-40517 & CVE-2022-40520  (CVSS scores: 8.4) - Memory corruption in Core due to  stack-based buffer overflow CVE-2022-40518 & CVE-2022-40519  (CVSS scores: 6.8) - Information disclosure due to  buffer over-read  in Core Stack-based buffer overflow vulnerabilities can result in severe impacts, such as data corruption, system crashes, and arbitrary code execution. Buffer over-reads, on the other hand, can be weaponized to read out-of-bounds memory, leading to the exposure of secret data. Successful explo...
New Qualcomm Chip Bug Could Let Hackers Spy On Android Devices

New Qualcomm Chip Bug Could Let Hackers Spy On Android Devices

May 06, 2021
Cybersecurity researchers have disclosed a new security vulnerability in Qualcomm's mobile station modems (MSM) that could potentially allow an attacker to leverage the underlying Android operating system to slip malicious code into mobile phones, undetected. "If exploited, the vulnerability would have allowed an attacker to use Android OS itself as an entry point to inject malicious and invisible code into phones, granting them access to SMS messages and audio of phone conversations," researchers from Israeli security firm Check Point  said  in an analysis published today. The heap overflow vulnerability, tracked as CVE-2020-11292 , resides in the QMI voice service API exposed by the modem to the high level operating system, and could be exploited by a malicious app to conceal its activities "underneath" the OS in the modem chip itself, thus making it invisible to the security protections built into the device. Designed since the 1990s, Qualcomm  MSM  chip...
Qualcomm Chip Flaws Let Hackers Steal Private Data From Android Devices

Qualcomm Chip Flaws Let Hackers Steal Private Data From Android Devices

Nov 14, 2019
Hundreds of millions of devices, especially Android smartphones and tablets, using Qualcomm chipsets, are vulnerable to a new set of potentially serious vulnerabilities. According to a report cybersecurity firm CheckPoint shared with The Hacker News, the flaws could allow attackers to steal sensitive data stored in a secure area that is otherwise supposed to be the most protected part of a mobile device. The vulnerabilities reside in Qualcomm's Secure Execution Environment (QSEE), an implementation of Trusted Execution Environment (TEE) based on ARM TrustZone technology. Also known as Qualcomm's Secure World, QSEE is a hardware-isolated secure area on the main processor that aims to protect sensitive information and provides a separate secure environment (REE) for executing Trusted Applications. Along with other personal information, QSEE usually contains private encryption keys, passwords, credit, and debit card credentials. Since it is based on the principle of l...
US Tech Giants Google, Intel, Qualcomm, Broadcom Break Up With Huawei

US Tech Giants Google, Intel, Qualcomm, Broadcom Break Up With Huawei

May 20, 2019
Google has reportedly suspended all businesses with the world's second-biggest smartphone maker, Huawei, and revoked its Android license effective immediately—a move that will have a drastic impact on Huawei devices across the globe. Revoking Android license means Huawei future smartphones will no longer have access to Android updates and apps like Gmail or the Play Store, as well as Google technical support beyond services that are publicly available via open source licensing, Reuters report. Why? That's because last week, U.S. President Donald Trump signed an executive order declaring a national emergency banning foreign companies—over surveillance fear—from doing telecommunication business in the United States without the government's approval. About the executive order, White House Press Secretary Sarah Sanders said in a statement that President Trump "has made it clear that this Administration will do what it takes to keep America safe and prosperous, an...
EU Antitrust Regulators Fine Qualcomm $1.2 Billion Over Apple Deal

EU Antitrust Regulators Fine Qualcomm $1.2 Billion Over Apple Deal

Jan 25, 2018
The antitrust fine has hit Qualcomm badly. The European Commission has levied a fine of €997 Million, approximately $1.2 Billion, against U.S. chipmaker Qualcomm Inc. for violating antitrust laws in a series of deals with Apple by "abusing its market dominance in LTE baseband chipsets." According to the European Union (EU), Qualcomm paid Apple billions of dollars to make the iPhone-maker exclusively use its 4G chips in all its iPhones and iPads, reducing competition from other competing manufacturers in the LTE baseband chip industry like Intel. The European Commission launched an investigation in 2015, which revealed that Qualcomm abused its market dominance in LTE baseband chipsets and struck a deal with Apple in 2011, which meant the iPhone maker would have to repay Qualcomm if it decided to use a rival's chipsets until the end of 2016, hurting innovation in the chip sector. "This meant that no rival could effectively challenge Qualcomm in this market, ...
Expert Insights / Articles Videos
Cybersecurity Resources