CVE-2023-33063

Use After Free in DSP Services

CVSS 7.8 HIGHEPSS 0.7%● KEVCWE-416

Vexday Risk Score

51Attention

SSVC decision (CISA)

Act

Exploitation + impact → act immediately

CVSS 7.8EPSS 0.7%KEV simPoC —Nuclei —Metasploit —Patch —

Lifecycle

05 Dec 2023Active exploitation (CISA KEV)

05 Dec 2023Published on NVD

Recommendation: Patch as soon as possible — active exploitation confirmed.

In short

A memory error in DSP Services allows an attacker to exploit freed memory when HLOS (High-Level Operating System) communicates with the DSP processor, potentially crashing the system or executing unintended code.

Technical detail

Use-after-free vulnerability in DSP Services triggered via remote procedure calls from HLOS to DSP; requires ability to initiate IPC communication and results in memory corruption that may lead to denial of service or code execution in the DSP context.

Summary generated and translated by AI from the official description.

Memory corruption in DSP Services during a remote call from HLOS to DSP.

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Affected products

Qualcomm, Inc. · Snapdragon

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-33063 https://www.qualcomm.com/company/product-security/bulletins/december-2023-bulletin