American semiconductor company Qualcomm has reported the active exploitation of three zero-day vulnerabilities in its GPU and Compute DSP drivers. The vulnerabilities, identified as CVE-2023-33106, CVE-2023-33107, CVE-2022-22071, and CVE-2023-33063, were brought to Qualcomm's attention by Google's Threat Analysis Group (TAG) and Project Zero teams. The teams suggested that these vulnerabilities might be the target of limited, targeted exploitation. Responding to the situation, Qualcomm has rolled out security updates to rectify the issues in its Adreno GPU and Compute DSP drivers. The company has also notified the impacted OEMs about the vulnerabilities.
The flaw CVE-2022-22071, which was disclosed in May 2022, is a high-severity locally exploitable use after free bug affecting popular chips such as the SD855, SD865 5G, and SD888 5G. However, Qualcomm has not released any details about the actively exploited CVE-2023-33106, CVE-2022-22071, and CVE-2023-33063 flaws. The company plans to provide more information in its December 2023 bulletin.
In addition to these vulnerabilities, Qualcomm's security bulletin for this month also highlighted three other critical vulnerabilities. Furthermore, the company disclosed 13 high-severity flaws and another three critical-severity vulnerabilities discovered by its engineers. The flaws CVE-2023-24855, CVE-2023-2854, and CVE-2023-33028 are all remotely exploitable, making them critical from a security standpoint. However, there is no evidence to suggest that these vulnerabilities are being exploited.
Consumers affected by these vulnerabilities have limited options other than applying the available updates as soon as they receive them through the standard OEM channels. Vulnerabilities in drivers usually require local access to exploit, often achieved through malware infections. Therefore, Android device owners are advised to limit the number of apps they download and to only source them from reliable repositories.
In a related development, Arm issued a similar security advisory warning about an actively exploited flaw, CVE-2023-4211. This flaw was discovered and reported by Google's Threat Analysis Group (TAG) and Project Zero, and it affects a wide range of Mali GPU drivers.