Qualcomm has rolled out safety updates to handle almost two dozen flaws spanning proprietary and open-source parts, together with one which has come below lively exploitation within the wild.
The high-severity vulnerability, tracked as CVE-2024-43047 (CVSS rating: 7.8), has been described as a user-after-free bug within the Digital Sign Processor (DSP) Service that might result in “reminiscence corruption whereas sustaining reminiscence maps of HLOS reminiscence.”
Qualcomm credited Google Venture Zero researcher Seth Jenkins and Conghui Wang for reporting the flaw, and Amnesty Worldwide Safety Lab for confirming in-the-wild exercise.
“There are indications from Google Menace Evaluation Group that CVE-2024-43047 could also be below restricted, focused exploitation,” the chipmaker stated in an advisory.
“Patches for the difficulty affecting FASTRPC driver have been made accessible to OEMs along with a powerful suggestion to deploy the replace on affected gadgets as quickly as doable.”
The total scope of the assaults and their impression is presently unknown, though it is doable that it might have been weaponized as a part of spyware and adware assaults concentrating on civil society members.
October’s patch additionally addresses a vital flaw within the WLAN Useful resource Supervisor (CVE-2024-33066, CVSS rating: 9.8) that is brought on by an improper enter validation and will lead to reminiscence corruption.
The event comes as Google launched its personal month-to-month Android safety bulletin with fixes for 28 vulnerabilities, which additionally comprise points recognized in parts from Creativeness Applied sciences, MediaTek, and Qualcomm.