⚠ Actively exploited

Added to CISA KEV on 2023-12-05. Federal agencies required to patch by 2023-12-26. Required action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable..

CVE-2023-33107 — Integer Overflow or Wraparound in INC Snapdragon

CWE-190 — Integer Overflow or Wraparound6 documents6 sources

Severity

7.8HIGHNVD

VulnCheck8.4

EPSS

0.4%

top 39.27%

CISA KEV

KEV

Added 2023-12-05

Due 2023-12-26

Exploit

Exploited in wild

Active exploitation observed

Affected products

Qualcomm INC Snapdragon Google Android

Timeline

PublishedDec 5

KEV addedDec 5

KEV dueDec 26

CISA Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.

Description

Memory corruption in Graphics Linux while assigning shared virtual memory region during IOCTL call.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages2 packages

▶googlegoogle/android

▶CVEListV5qualcomm_inc/snapdragon242 versions+241

Patches

Patch: www.qualcomm.com ↗Patch: www.qualcomm.com ↗

🔴Vulnerability Details

GHSA

GHSA-wg3g-ggh3-7wgp: Memory corruption in Graphics Linux while assigning shared virtual memory region during IOCTL call↗2023-12-05

▶

VulnCheck

Qualcomm Multiple Chipsets Integer Overflow Vulnerability↗2023

▶

Project0

Project Zero RCA: CVE-2023-33107: Qualcomm Adreno GPU KGSL_IOCTL_GPUOBJ_IMPORT integer overflow↗

▶

📋Vendor Advisories

CISA

Qualcomm Multiple Chipsets Integer Overflow Vulnerability↗2023-12-05

▶

Android

CVE-2023-33107: Display↗2023-12-01

▶