Not long after ARM disclosed multiple severe security vulnerabilities in some of its GPU products, Qualcomm has now done the same.
In both cases, the company was tipped off to the existence of the flaw by Google’s Threat Analysis Group (TAG), and Project Zero group.
Qualcomm’s flaws were found in the Adreno GPU and Compute DSP drivers, and are being tracked as CVE-2023-33106, CVE-2023-33107, CVE-2022-22071, and CVE-2023-33063. As was the case with ARM, these too are being used in “limited, targeted exploitation”, which is the usual modus operandi for state-sponsored threat actors often engaged in espionage and data exfiltration from government endpoints, as well as those belonging to critical infrastructure, financial institutions, or think-tanks.
Qualcomm has addressed the flaws with an update, with relevant OEMs being notified, as well. “Patches for the issues affecting Adreno GPU and Compute DSP drivers have been made available, and OEMs have been notified with a strong recommendation to deploy security updates as soon as possible,” the company said in an advisory. Aside from the fact that they’re being “abused in the wild”, Qualcomm did not share more details about the flaws. It said it will do so when it releases its December 2023 bulletin.
Qualcomm’s latest security advisory also lists a couple of other flaws that were addressed, including CVE-2023-24855, CVE-2023-28540, and CVE-2023-33028, and 13 others.
No workarounds are available at the time, and the only thing users and organizations can do is sit tight and wait for the patch to become available. The good news is that for most of the flaws, there is no evidence of abuse in the wild.
In ARM’s case, the flaws affected multiple consumer devices, including Samsung Galaxy S20/S20 FE, Xiaomi Redmi K30/K40, Motorola Edge 40, and OnePlus Nord 2. Bifrost, Valhall, and Arm 5th Gen GPUs were affected.
Via BleepingComputer