cbcvebase.
CVE-2023-33063
published 2023-12-05

CVE-2023-33063: Memory corruption in DSP Services during a remote call from HLOS to DSP.

PriorityP184high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2023-12-26
Exploited in the wild
EPSS
0.70%
48.5th percentile
Memory corruption in DSP Services during a remote call from HLOS to DSP.

Affected

282 ranges· showing 25
VendorProductVersion rangeFixed in
googleandroid
qualcomm_incsnapdragon
qualcomm_incsnapdragon
qualcomm_incsnapdragon
qualcomm_incsnapdragon
qualcomm_incsnapdragon
qualcomm_incsnapdragon
qualcomm_incsnapdragon
qualcomm_incsnapdragon
qualcomm_incsnapdragon
qualcomm_incsnapdragon
qualcomm_incsnapdragon
qualcomm_incsnapdragon
qualcomm_incsnapdragon
qualcomm_incsnapdragon
qualcomm_incsnapdragon
qualcomm_incsnapdragon
qualcomm_incsnapdragon
qualcomm_incsnapdragon
qualcomm_incsnapdragon
qualcomm_incsnapdragon
qualcomm_incsnapdragon
qualcomm_incsnapdragon
qualcomm_incsnapdragon
qualcomm_incsnapdragon

Detection & IOCsextracted from sources · hover to see the quote

urlhttps://git.codelinaro.org/clo/la/kernel/msm-5.15/-/commit/2643808ddbedfaabbb334741873fb2857f78188a
urlhttps://git.codelinaro.org/clo/la/kernel/msm-4.14/-/commit/d43222efda5a01c9804d74a541e3c1be9b7fe110
  • Vulnerability class is use-after-free triggered during a remote call from HLOS (High-Level OS) to DSP via DSP Services; monitor for anomalous HLOS-to-DSP IPC/RPC calls on Qualcomm chipset devices.
  • CVE is listed in CISA KEV (Known Exploited Vulnerabilities), indicating active in-the-wild exploitation; prioritize detection and patching on Android devices running affected Qualcomm chipsets.
  • Patch is tracked under Android Security Bulletin reference A-266568298 and Qualcomm QC-CR#3447219; verify kernel patch presence on Android devices to confirm remediation.
  • ·Vulnerability affects multiple Qualcomm chipsets; specific affected chipset models are not enumerated in the available sources — check Qualcomm's security advisory for the full affected product list.
  • ·Two separate kernel patch commits exist for different kernel versions (msm-5.15 and msm-4.14); ensure the correct patch is applied for the kernel version in use.

CVSS provenance

nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vulncheck7.8HIGH
cisa7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.