The U.S. CISA has added Qualcomm vulnerabilities to its Known Exploited Vulnerabilities catalog.
The list includes the following vulnerabilities
- CVE-2023-33106 Qualcomm Multiple Chipsets Use of Out-of-Range Pointer Offset Vulnerability
- CVE-2023-33063 Qualcomm Multiple Chipsets Use-After-Free Vulnerability
- CVE-2023-33107 Qualcomm Multiple Chipsets Integer Overflow Vulnerability
- CVE-2022-22071 Qualcomm Multiple Chipsets Use-After-Free Vulnerability
The vendor has addressed the flaws in October 2023. The company also warned that three of the zero-day vulnerabilities were actively exploited in attacks in the wild. CVE-2022-22071 was included in our May 2022 public bulletin.
Advertisements
Google Threat Analysis Group and Google Project Zero first reported that the CVE-2023-33106, CVE-2023-33107, CVE-2022-22071 and CVE-2023-33063 were actively exploited in targeted attacks and believe that one of these threat actors may be behind the exploitation of the Qualcomm flaws.
CISA orders federal agencies to fix these vulnerabilities by December 26, 2023.
