Not long after ARM revealed several serious security issues in some of its GPU products, Qualcomm has now done the same.
In both cases, the company was alerted to the existence of the flaw by Google’s Threat Analysis Group (TAG) and the Project Zero group.
Qualcomm’s flaws were found in the Adreno GPU and Compute DSP drivers and are tracked as CVE-2023-33106, CVE-2023-33107, CVE-2022-22071, and CVE-2023-33063. As with ARM, these are also used for “limited, targeted exploitation,” which is the common modus operandi for state-sponsored threat actors who often engage in espionage and data exfiltration from government endpoints, as well as those belonging to critical infrastructure, financial institutions or think tanks.
Qualcomm has addressed the shortcomings with an update, in which relevant OEMs have also been notified. “Patches have been made available for the issues affecting the Adreno GPU and Compute DSP drivers, and OEMs have been notified with a strong recommendation to deploy security updates as soon as possible,” the company said in an advisory . Because Qualcomm is “being abused in the wild,” Qualcomm did not share more details about the shortcomings. It says this will happen when it releases its December 2023 bulletin.
Qualcomm’s latest security advisory also lists a number of other flaws that have been fixed, including CVE-2023-24855, CVE-2023-28540, and CVE-2023-33028, among 13 others.
There are no fixes available at this time, and all users and organizations can do is wait for the patch to become available. The good news is that for most defects there is no evidence of abuse in the wild.
In ARM’s case, the flaws affected multiple consumer devices, including the Samsung Galaxy S20/S20 FE, Xiaomi Redmi K30/K40, Motorola Edge 40 and OnePlus Nord 2. Bifrost, Valhall and Arm 5th generation GPUs were affected.
Through BleepingComputer