Article Details

Qualcomm says hackers exploit 3 zero-days in its GPU, DSP drivers. Qualcomm is warning of three zero-day vulnerabilities in its GPU and Compute DSP drivers that hackers are actively exploiting in attacks. The American semiconductor company was told by Google's Threat Analysis Group (TAG) and Project Zero teams that CVE-2023-33106, CVE-2023-33107, CVE-2022-22071, and CVE-2023-33063 may be under limited, targeted exploitation. Qualcomm says it has released security updates that address the issues in its Adreno GPU and Compute DSP drivers, and impacted OEMs were also notified. The CVE-2022-22071 flaw was disclosed in May 2022 and is a high-severity (CVSS v3.1: 8.4) locally exploitable use after free bug impacting popular chips like the SD855, SD865 5G, and SD888  5G Qualcomm has not released any details on the actively exploited CVE-2023-33106, CVE-2022-22071, and CVE-2023-33063 flaws and will provide more information in its December 2023 bulletin. This month's security bulletin also warns of three other critical vulnerabilities: Along with the above, Qualcomm has disclosed 13 high-severity flaws and another three critical-severity vulnerabilities discovered by its engineers. As the CVE-2023-24855, CVE-2023-2854, and CVE-2023-33028 flaws are all remotely exploitable, they are critical from a security standpoint, but there is no indication they are exploited. Unfortunately, there isn't a lot impacted consumers can do besides applying the available updates as soon as those reach them through the usual OEM channels. Flaws in drivers usually require local access to exploit, typically achieved through malware infections, so Android device owners are recommended to limit the number of apps they download and only source them from trustworthy repositories. Yesterday, Arm issued a similar security advisory warning about an actively exploited flaw (CVE-2023-4211 discovered and reported to them by Google's Threat Analysis Group (TAG) and Project Zero, which impacts a wide range of Mali GPU drivers.