Qualcomm has issued a warning regarding three critical vulnerabilities in its Yveras Adreno GPU and Compute DSP. Hackers are actively exploiting these vulnerabilities in their attacks.
This warning comes after Google Tag and Project Zero were informed by Qualcomm about the potential limited and targeted exploitation of vulnerabilities with the identifiers CVE-2023-33106, CVE-2023-33107, CVE-2022-22071, and CVE-2023-33063. Qualcomm has already released security updates that address these issues in Adreno GPU and Compute DSP drivers and has notified original equipment manufacturers (OEM) about the vulnerabilities.
One of the disclosed vulnerabilities, CVE-2022-22071 (CVSS: 8.4), was identified in May 2022 and can be exploited locally through a USE-After-Free (UAF) issue. This vulnerability affects popular Qualcomm chips such as SD855, SD865 5G, and SD888 5G. While Qualcomm did not provide specific details about the actively exploited vulnerabilities (CVE-2023-33106, CVE-2022-22071, and CVE-2023-33063), the company has promised to provide more information in its security bulletin scheduled for release in December 2023. In addition to these vulnerabilities, Qualcomm has also uncovered 13 high-risk hazards and three critical vulnerabilities discovered by its own engineers.
Unfortunately, consumers have limited options to mitigate these vulnerabilities other than applying available updates as soon as they become available through their OEM channels. Typically, driver vulnerabilities require local access for exploitation, which is usually achieved through malware infections. Therefore, it is highly recommended to minimize the number of downloaded applications and only download from trusted sources.