CVE-2023-33063
published 2023-12-05CVE-2023-33063: Memory corruption in DSP Services during a remote call from HLOS to DSP.
PriorityP184high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2023-12-26
Exploited in the wild
EPSS
0.70%
48.5th percentile
Memory corruption in DSP Services during a remote call from HLOS to DSP.
Affected
282 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| android | — | — | |
| qualcomm_inc | snapdragon | — | — |
| qualcomm_inc | snapdragon | — | — |
| qualcomm_inc | snapdragon | — | — |
| qualcomm_inc | snapdragon | — | — |
| qualcomm_inc | snapdragon | — | — |
| qualcomm_inc | snapdragon | — | — |
| qualcomm_inc | snapdragon | — | — |
| qualcomm_inc | snapdragon | — | — |
| qualcomm_inc | snapdragon | — | — |
| qualcomm_inc | snapdragon | — | — |
| qualcomm_inc | snapdragon | — | — |
| qualcomm_inc | snapdragon | — | — |
| qualcomm_inc | snapdragon | — | — |
| qualcomm_inc | snapdragon | — | — |
| qualcomm_inc | snapdragon | — | — |
| qualcomm_inc | snapdragon | — | — |
| qualcomm_inc | snapdragon | — | — |
| qualcomm_inc | snapdragon | — | — |
| qualcomm_inc | snapdragon | — | — |
| qualcomm_inc | snapdragon | — | — |
| qualcomm_inc | snapdragon | — | — |
| qualcomm_inc | snapdragon | — | — |
| qualcomm_inc | snapdragon | — | — |
| qualcomm_inc | snapdragon | — | — |
Detection & IOCsextracted from sources · hover to see the quote
urlhttps://git.codelinaro.org/clo/la/kernel/msm-5.15/-/commit/2643808ddbedfaabbb334741873fb2857f78188a↗
urlhttps://git.codelinaro.org/clo/la/kernel/msm-4.14/-/commit/d43222efda5a01c9804d74a541e3c1be9b7fe110↗
- →Vulnerability class is use-after-free triggered during a remote call from HLOS (High-Level OS) to DSP via DSP Services; monitor for anomalous HLOS-to-DSP IPC/RPC calls on Qualcomm chipset devices. ↗
- →CVE is listed in CISA KEV (Known Exploited Vulnerabilities), indicating active in-the-wild exploitation; prioritize detection and patching on Android devices running affected Qualcomm chipsets. ↗
- →Patch is tracked under Android Security Bulletin reference A-266568298 and Qualcomm QC-CR#3447219; verify kernel patch presence on Android devices to confirm remediation. ↗
- ·Vulnerability affects multiple Qualcomm chipsets; specific affected chipset models are not enumerated in the available sources — check Qualcomm's security advisory for the full affected product list. ↗
- ·Two separate kernel patch commits exist for different kernel versions (msm-5.15 and msm-4.14); ensure the correct patch is applied for the kernel version in use. ↗
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vulncheck7.8HIGH
cisa7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Qualcomm Multiple Chipsets Use-After-Free Vulnerability
cisa·2023-12-05·CVSS 7.8
CVE-2023-33063 [HIGH] CWE-416 Qualcomm Multiple Chipsets Use-After-Free Vulnerability
Vulnerability: Qualcomm Multiple Chipsets Use-After-Free Vulnerability
Affected: Qualcomm Multiple Chipsets
Multiple Qualcomm chipsets contain a use-after-free vulnerability due to memory corruption in DSP Services during a remote call from HLOS to DSP.
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Notes: This vulnerability affects a common open-source component, third-party library, or a protocol used by different products. Please check with specific vendors for information on patching status. For more information, please see: https://git.codelinaro.org/clo/la/kernel/msm-5.15/-/commit/2643808ddbedfaabbb334741873fb2857f78188a, https://git.codelinaro.org/clo/la/kernel/msm-4.14/-/
Android
CVE-2023-33063: Kernel
vendor_android·2023-12-01·CVSS 7.8
CVE-2023-33063 [HIGH] CVE-2023-33063: Kernel
Android Security Bulletin 2023-12-01
CVE: CVE-2023-33063
Severity: HIGH
Component: Kernel
References: A-266568298
QC-CR#3447219
[2]
GHSA
GHSA-534v-34xw-2g2m: Memory corruption in DSP Services during a remote call from HLOS to DSP
ghsa_unreviewed·2023-12-05
CVE-2023-33063 [HIGH] CWE-416 GHSA-534v-34xw-2g2m: Memory corruption in DSP Services during a remote call from HLOS to DSP
Memory corruption in DSP Services during a remote call from HLOS to DSP.
VulnCheck
Qualcomm Multiple Chipsets Use-After-Free Vulnerability
vulncheck·2023·CVSS 7.8
CVE-2023-33063 [HIGH] CWE-416 Qualcomm Multiple Chipsets Use-After-Free Vulnerability
Qualcomm Multiple Chipsets Use-After-Free Vulnerability
Multiple Qualcomm chipsets contain a use-after-free vulnerability due to memory corruption in DSP Services during a remote call from HLOS to DSP.
Affected: Qualcomm Multiple Chipsets
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://ti.qianxin.com/uploads/2024/02/02/dcc93e586f9028c68e7ab34c3326ff31.pdf; https://storage.googleapis.com/gweb-uniblog-publish-prod/documents/Buying_Spying_-_Insights_into_Commercial_Surveillance_
No detection rules found.
No public exploits indexed.
2023-12-05
Published
2023-12-05
Added to CISA KEV
Exploited in the wild