CVE-2024-43047
published 2024-10-07CVE-2024-43047: Memory corruption while maintaining memory maps of HLOS memory.
PriorityP184high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2024-10-29
Exploited in the wild
EPSS
0.67%
47.4th percentile
Memory corruption while maintaining memory maps of HLOS memory.
Affected
65 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| android | — | — | |
| qualcomm_inc | snapdragon | — | — |
| qualcomm_inc | snapdragon | — | — |
| qualcomm_inc | snapdragon | — | — |
| qualcomm_inc | snapdragon | — | — |
| qualcomm_inc | snapdragon | — | — |
| qualcomm_inc | snapdragon | — | — |
| qualcomm_inc | snapdragon | — | — |
| qualcomm_inc | snapdragon | — | — |
| qualcomm_inc | snapdragon | — | — |
| qualcomm_inc | snapdragon | — | — |
| qualcomm_inc | snapdragon | — | — |
| qualcomm_inc | snapdragon | — | — |
| qualcomm_inc | snapdragon | — | — |
| qualcomm_inc | snapdragon | — | — |
| qualcomm_inc | snapdragon | — | — |
| qualcomm_inc | snapdragon | — | — |
| qualcomm_inc | snapdragon | — | — |
| qualcomm_inc | snapdragon | — | — |
| qualcomm_inc | snapdragon | — | — |
| qualcomm_inc | snapdragon | — | — |
| qualcomm_inc | snapdragon | — | — |
| qualcomm_inc | snapdragon | — | — |
| qualcomm_inc | snapdragon | — | — |
| qualcomm_inc | snapdragon | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →CVE-2024-43047 is a use-after-free (UAF) vulnerability in Qualcomm's FASTRPC/DSP kernel driver; look for memory corruption events or UAF patterns in the DSP service on Android devices running Qualcomm chipsets (Snapdragon 8 and 63 other affected chipsets) ↗
- →CVE-2024-43047 has been used in targeted NoviSpy spyware attacks against Android devices belonging to activists, journalists, and protestors by Serbian authorities; treat exploitation as indicative of nation-state or law-enforcement-grade spyware deployment ↗
- →Exploitation requires only local access with low privileges; monitor for unexpected privilege escalation from low-privileged processes interacting with the Qualcomm FASTRPC/DSP driver on Android 12–15 ↗
- ·Patches for the FASTRPC driver were provided to OEMs in September 2024; actual device patch availability depends on individual device manufacturers deploying the update — end-user devices may remain unpatched even after Qualcomm's fix was issued ↗
- ·The vulnerability affects Android versions 12 through 15 and is present in closed-source Qualcomm components; Android 11 and older are unsupported and may not receive the fix ↗
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vulncheck7.8HIGH
cisa7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Android
CVE-2024-43047: Kernel
vendor_android·2024-11-01·CVSS 7.8
CVE-2024-43047 [HIGH] CVE-2024-43047: Kernel
Android Security Bulletin 2024-11-01
CVE: CVE-2024-43047
Severity: HIGH
Component: Kernel
References: A-364017103
QC-CR#3883647
CISA
Qualcomm Multiple Chipsets Use-After-Free Vulnerability
cisa·2024-10-08·CVSS 7.8
CVE-2024-43047 [HIGH] CWE-416 Qualcomm Multiple Chipsets Use-After-Free Vulnerability
Vulnerability: Qualcomm Multiple Chipsets Use-After-Free Vulnerability
Affected: Qualcomm Multiple Chipsets
Multiple Qualcomm chipsets contain a use-after-free vulnerability due to memory corruption in DSP Services while maintaining memory maps of HLOS memory.
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Notes: https://git.codelinaro.org/clo/la/platform/vendor/qcom/opensource/dsp-kernel/-/commit/0e27b6c7d2bd8d0453e4465ac2ca49a8f8c440e2 ; https://nvd.nist.gov/vuln/detail/CVE-2024-43047
Remediation Due Date: 2024-10-29
Project0
The Qualcomm DSP Driver - Unexpectedly Excavating an Exploit - Project Zero
project_zero·2024-12-01
CVE-2024-21455 The Qualcomm DSP Driver - Unexpectedly Excavating an Exploit - Project Zero
Posted by Seth Jenkins, Google Project Zero
This blog post provides a technical analysis of exploit artifacts provided to us by Google's Threat Analysis Group (TAG) from Amnesty International. Amnesty’s report on these exploits is available here. Thanks to both Amnesty International and Google's Threat Analysis Group for providing the artifacts and collaborating on the subsequent technical analysis!
## Introduction
Earlier this year, Google's TAG received some kernel panic logs generated by an In-the-Wild (ITW) exploit. Those logs kicked off a bug hunt that led to the discovery of 6 vulnerabilities in one Qualcomm driver over the course of 2.5 months, including one issue that TAG reported as ITW. This blog post covers the details of the original artifacts, each of the bugs discovered,
GHSA
GHSA-36wv-6w83-xmqr: Memory corruption while maintaining memory maps of HLOS memory
ghsa_unreviewed·2024-10-07
CVE-2024-43047 [HIGH] CWE-416 GHSA-36wv-6w83-xmqr: Memory corruption while maintaining memory maps of HLOS memory
Memory corruption while maintaining memory maps of HLOS memory.
VulnCheck
Qualcomm Multiple Chipsets Use-After-Free Vulnerability
vulncheck·2024·CVSS 7.8
CVE-2024-43047 [HIGH] CWE-416 Qualcomm Multiple Chipsets Use-After-Free Vulnerability
Qualcomm Multiple Chipsets Use-After-Free Vulnerability
Multiple Qualcomm chipsets contain a use-after-free vulnerability due to memory corruption in DSP Services while maintaining memory maps of HLOS memory.
Affected: Qualcomm Multiple Chipsets
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit; https://docs.qualcomm.com/product/publicresources/securitybulletin/october-2024-bulletin.html; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://www.androidpolice.com/qualcomm-android-vulnerability-exploited/; https://source.android.com
No detection rules found.
No public exploits indexed.
Bleepingcomputer
Android gets patches for Qualcomm flaws exploited in attacks
blogs_bleepingcomputer·2025-08-05·CVSS 7.8
CVE-2025-21479 [HIGH] Android gets patches for Qualcomm flaws exploited in attacks
## Android gets patches for Qualcomm flaws exploited in attacks
## Sergiu Gatlan
Google has now integrated the patches announced by Qualcomm in June , when the wireless tech giant warned that "There are indications from Google Threat Analysis Group that CVE-2025-21479, CVE-2025-21480, CVE-2025-27038 may be under limited, targeted exploitation."
"Patches for the issues affecting the Adreno Graphics Processing Unit (GPU) driver have been made available to OEMs in May together with a strong recommendation to deploy the update on affected devices as soon as possible," Qualcomm said.
CISA has also added the two security bugs to its catalog of actively exploited vulnerabilities on June 3rd, ordering federal agencies to secure their devices against ongoing attacks by June 24.
With this month
Bleepingcomputer
Qualcomm fixes three Adreno GPU zero-days exploited in attacks
blogs_bleepingcomputer·2025-06-02·CVSS 7.8
CVE-2025-21479 [HIGH] Qualcomm fixes three Adreno GPU zero-days exploited in attacks
## Qualcomm fixes three Adreno GPU zero-days exploited in attacks
## Sergiu Gatlan
Qualcomm has released security patches for three zero-day vulnerabilities in the Adreno Graphics Processing Unit (GPU) driver that impact dozens of chipsets and are actively exploited in targeted attacks.
The company says two critical flaws (tracked as CVE-2025-21479 and CVE-2025-21480 ) were reported through the Google Android Security team in late January, and a third high-severity vulnerability ( CVE-2025-27038 ) was reported in March.
The first two are both Graphics framework incorrect authorization weaknesses that can lead to memory corruption because of unauthorized command execution in the GPU micronode while executing a specific sequence of commands, while CVE-2025-27038 is a use-after-free causi
Bleepingcomputer
Google fixes Android zero-days exploited in attacks, 60 other flaws
blogs_bleepingcomputer·2025-04-07·CVSS 5.5
CVE-2024-53197 [MEDIUM] Google fixes Android zero-days exploited in attacks, 60 other flaws
## Google fixes Android zero-days exploited in attacks, 60 other flaws
## Sergiu Gatlan
Google has released patches for 62 vulnerabilities in Android's April 2025 security update, including two zero-days exploited in targeted attacks.
One of the zero-days, a high-severity privilege escalation security vulnerability ( CVE-2024-53197 ) in the Linux kernel's USB-audio driver for ALSA Devices, was reportedly exploited by Serbian authorities to unlock confiscated Android devices as part of a zero-day exploit chain developed by Israeli digital forensics company Cellebrite.
This exploit chain—which also included a USB Video Class zero-day (CVE-2024-53104) patched in February and a Human Interface Devices zero-day (CVE-2024-50302) patched last month )—was discovered by Amnesty International's
Bleepingcomputer
Google fixes Android zero-day exploited by Serbian authorities
blogs_bleepingcomputer·2025-03-04·CVSS 7.3
CVE-2024-50302 [HIGH] Google fixes Android zero-day exploited by Serbian authorities
## Google fixes Android zero-day exploited by Serbian authorities
## Sergiu Gatlan
Google has released patches for 43 vulnerabilities in Android's March 2025 security update, including two zero-days exploited in targeted attacks.
Serbian authorities have used one of the zero-days, a high-severity information disclosure security vulnerability ( CVE-2024-50302 ) in the Linux kernel's driver for Human Interface Devices, to unlock confiscated devices.
The flaw was reportedly exploited as part of an Android zero-day exploit chain developed by Israeli digital forensics company Cellebrite to unlock confiscated devices.
The exploit chain—which also includes a USB Video Class zero-day (CVE-2024-53104) patched last month and an ALSA USB-sound driver zero-day)—was found by Amnesty International'
Bleepingcomputer
Google fixes Android kernel zero-day exploited in attacks
blogs_bleepingcomputer·2025-02-03·CVSS 7.8
CVE-2024-45569 [HIGH] Google fixes Android kernel zero-day exploited in attacks
## Google fixes Android kernel zero-day exploited in attacks
## Sergiu Gatlan
In addition to this actively exploited zero-day bug, the February 2025 Android security updates also fix a critical security flaw in Qualcomm's WLAN component.
Qualcomm describes this critical flaw (CVE-2024-45569) as a firmware memory corruption issue caused by an Improper Validation of Array Index weakness in WLAN host communication when parsing the ML IE due to invalid frame content.
CVE-2024-45569 can be exploited by remote attackers to potentially execute arbitrary code or commands, read or modify memory, and trigger crashes in low-complexity attacks that don't require privileges or user interaction.
## Android security patch levels
Google released two sets of patches for February 2025, the 2025-02-01
Bleepingcomputer
New Android NoviSpy spyware linked to Qualcomm zero-day bugs
blogs_bleepingcomputer·2024-12-16
New Android NoviSpy spyware linked to Qualcomm zero-day bugs
## New Android NoviSpy spyware linked to Qualcomm zero-day bugs
## Bill Toulas
"In February 2024, Slaviša Milanov, an independent journalist from Dimitrovgrad in Serbia who covers local interest news stories, was brought into a police station after a seemingly routine traffic stop," reads a report by Amnesty International .
"After Slaviša was released, he noticed that his phone, which he had left at the police station reception at the request of the officers, was acting strangely – the data and wi-fi settings were turned off. Aware that this can be a sign of hacking, and mindful of the surveillance threats facing journalists in Serbia, Slaviša contacted Amnesty International's Security Lab to request an analysis of his phone."
Subsequently, the researchers provided Google's Threat Anal
Securelist
Advanced threat predictions for 2025
blogs_securelist·2024-11-25
Advanced threat predictions for 2025
Table of Contents
Review of last year’s predictions
The rise of creative exploits for mobile, wearables and smart devices
Building new botnets with consumer and corporate software and appliances
Barriers to kernel-level code execution increasingly evaded (kernel rootkits hot again)
Growth in cyberattacks by state-sponsored actors
Hacktivism in cyber-warfare: the new normal in geopolitical conflicts
Supply chain attacks as a service: operators bulk-buying access
Spear-phishing to expand with accessible generative AI
Emergence of more groups offering hack-for-hire services
MFT systems at the forefront of cyberthreats
APT predictions for 2025
Hacktivist alliances to escalate in 2025
The IoT to become a growing attack vector for APTs in 2025
Increasing supply chain attacks on ope
Securelist
Advanced threat predictions for 2025
blogs_securelist·2024-11-25·CVSS 8.8
[HIGH] Advanced threat predictions for 2025
Table of Contents
- Review of last year’s predictions
- APT predictions for 2025
Authors
- Igor Kuznetsov
- Giampaolo Dedola
- Georgy Kucherin
- Maher Yamout
- Vasily Berdnikov
- Isabel Manjarrez
- Ilya Savelyev
- Joao Godinho
We at Kaspersky’s Global Research and Analysis Team monitor over 900 APT (advanced persistent threat) groups and operations. At the end of each year, we take a step back to assess the most complex and sophisticated attacks that have shaped the threat landscape. These insights enable us to anticipate emerging trends and build a clearer picture of what the APT landscape may look like in the year ahead.
In this article in the KSB series, we review the trends of the past year, reflect on the predictions we made for 2024, and offer insights into what we can expect in
Checkpoint
11th November – Threat Intelligence Report
blogs_checkpoint·2024-11-11
CVE-2024-20418 11th November – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 11th November – Threat Intelligence Report
Memorial Hospital and Manor in Bainbridge, Georgia, has been a victim of a ransomware attack that resulted in the loss of access to its electronic health record system. The Embargo ransomware gang has claimed responsibility, threatening to leak 1.15 terabytes of purportedly stolen data by November 8.
Check Point Harmony Endpoint and Threat Emulation provide protection against this threat (Ransomware.Wins.Embargo.*, Ransomware.Win.Embargo.*)
Serco, a company operating p
Bleepingcomputer
Google fixes two Android zero-days used in targeted attacks
blogs_bleepingcomputer·2024-11-05·CVSS 8.2
CVE-2024-43047 [HIGH] Google fixes two Android zero-days used in targeted attacks
## Google fixes two Android zero-days used in targeted attacks
## Bill Toulas
The CVE-2024-43047 flaw is a high-severity use-after-free issue in closed-source Qualcomm components within the Android kernel that elevates privileges.
The flaw was first disclosed in early October 2024 by Qualcomm as a problem in its Digital Signal Processor (DSP) service.
CVE-2024-43093 is also a high-severity elevation of privilege flaw, this time impacting the Android Framework component and Google Play system updates, specifically in the Documents UI.
Google did not disclose who discovered the CVE-2024-43093 vulnerability.
While Google did not share any details on how the vulnerabilities were exploited, as researchers at Amnesty International discovered CVE-2024-43047, it could indicate that the flaw
Talos
What I’ve learned in my first 7-ish years in cybersecurity
blogs_talos·2024-10-17
What I’ve learned in my first 7-ish years in cybersecurity
When I first interviewed with Joel Esler for my position at Cisco Talos, I remember when the time came for me to ask questions, one thing stood out. I asked what resources were available to me to learn about cybersecurity, because I was totally new to the space.
His answer: The people. When I asked that question, Joel told me that the entire office was a library for me. He told me to just ask as many questions as I could.
Coming from journalism, where I was reporting on a range of topics from local government, finance and banking, art and culture, and sports, cybersecurity was totally new to me. Now almost seven years later, I’ve been able to host a podcast that went nearly 200 episodes, relaunch a cybersecurity newsletter, researched malicious Facebook groups trading stolen personal inf
Talos
What I’ve learned in my first 7-ish years in cybersecurity
blogs_talos·2024-10-17
What I’ve learned in my first 7-ish years in cybersecurity
## What I’ve learned in my first 7-ish years in cybersecurity
When I first interviewed with Joel Esler for my position at Cisco Talos, I remember when the time came for me to ask questions, one thing stood out. I asked what resources were available to me to learn about cybersecurity, because I was totally new to the space.
His answer: The people. When I asked that question, Joel told me that the entire office was a library for me. He told me to just ask as many questions as I could.
Coming from journalism, where I was reporting on a range of topics from local government, finance and banking, art and culture, and sports, cybersecurity was totally new to me. Now almost seven years later, I’ve been able to host a podcast that went nearly 200 episodes, relaunch a cybersecurity newsletter, r
Bleepingcomputer
Qualcomm patches high-severity zero-day exploited in attacks
blogs_bleepingcomputer·2024-10-07·CVSS 9.8
CVE-2024-43047 [CRITICAL] Qualcomm patches high-severity zero-day exploited in attacks
## Qualcomm patches high-severity zero-day exploited in attacks
## Sergiu Gatlan
Qualcomm has released security patches for a zero-day vulnerability in the Digital Signal Processor (DSP) service that impacts dozens of chipsets.
The security flaw ( CVE-2024-43047 ) was reported by Google Project Zero's Seth Jenkins, security researcher Conghui Wang, and Amnesty International's Security Lab. It is caused by a use-after-free weakness that can lead to memory corruption when successfully exploited by local attackers with low privileges.
"Currently, the DSP updates header buffers with unused DMA handle fds. In the put_args section, if any DMA handle FDs are present in the header buffer, the corresponding map is freed," as explained in a DSP kernel commit .
"However, since the header buffer
2024-10-07
Published
2024-10-08
Added to CISA KEV
Exploited in the wild