A high-severity zero-day vulnerability in Qualcomm chipsets has been discovered by Google and Amnesty International, with the flaw being actively exploited in targeted attacks. Qualcomm released a security bulletin for the memory corruption vulnerability known as CVE-2024-43047, affecting various versions of Qualcomm chipsets that utilize the FASTRPC driver.
The vulnerability was reported by Seth Jenkins from Google Project Zero and Conghui Wang from Amnesty International Security Lab on July 29, with Qualcomm starting to notify customers about the issue on September 2. The company warned that the zero-day vulnerability is currently being exploited in the wild, prompting immediate action to address the issue.
Qualcomm emphasized the critical nature of the vulnerability, stating that it could potentially lead to remote code execution or privilege escalation. The CVE-2024-43047 vulnerability received a CVSS score of 7.8, highlighting the severity of the issue. Patches have been made available to OEMs, with a strong recommendation to deploy the updates on affected devices as soon as possible to mitigate the risk.
In response to the discovery, Seth Jenkins mentioned on social media platform X (formerly Twitter) that patches for Android devices are expected to be released soon. Jenkins also highlighted the collaboration between Project Zero, Google’s Threat Analysis Group (TAG), and Amnesty International in identifying and addressing the vulnerability.
While the specific extent of the exploitation activity remains unclear, Qualcomm emphasized its commitment to prioritizing security and privacy in its technologies. The company commended the researchers for their coordinated disclosure practices and encouraged end users to apply security updates from device manufacturers as they become available.
Despite attempts to reach out to Google and Amnesty International for comment, there has been no response at the time of reporting. The involvement of TAG and Amnesty International in previous spyware research activities, particularly in efforts to expose surveillance vendor abuses and spyware exploitation, raises concerns about the potential implications of the Qualcomm chipset vulnerability.
TAG’s previous report highlighted the role of commercial surveillance vendors in driving zero-day exploits, with Google attributing a significant portion of known zero-day exploits to such vendors. The ongoing abuse of spyware has prompted calls for increased government action to address these threats and protect users from potential security risks.
Amnesty International’s involvement in the Pegasus Project, which aimed to uncover the misuse of NSO Group’s Pegasus spyware against individuals such as human rights activists and journalists, underscores the broader implications of cybersecurity threats and the need for continued vigilance in combating malicious activities.
As the cybersecurity landscape continues to evolve, the collaborative efforts of researchers, technology companies, and advocacy groups remain crucial in identifying and addressing vulnerabilities to safeguard user privacy and security in an increasingly connected world.
Arielle Waldman, a news writer for TechTarget Editorial specializing in enterprise security, contributed to this report.