EUVD-2024-54631CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L
Lifecycle Timeline
3Tags
Description
Information disclosure when an invalid RTCP packet is received during a VoLTE/VoWiFi IMS call.
Analysis
CVE-2024-53026 is an information disclosure vulnerability in IMS (IP Multimedia Subsystem) implementations affecting VoLTE and VoWiFi call processing. When a malicious or malformed RTCP (Real-time Transport Control Protocol) packet is received during an active call, the vulnerable system leaks sensitive information to a network-adjacent attacker without requiring authentication or user interaction. The CVSS 8.2 rating reflects high confidentiality impact with partial availability degradation; exploitation likelihood and real-world activity status require cross-referencing with EPSS and KEV data.
Technical Context
This vulnerability exists in the RTCP packet handling logic within IMS core network elements (typically P-CSCF, I-CSCF, or S-CSCF) and user equipment (UE) implementations. RTCP (RFC 3550) is used for real-time transport feedback in VoIP/VoLTE sessions. The root cause is classified as CWE-126 (Buffer Over-read), indicating improper bounds checking when parsing RTCP packet headers or payloads. When an invalid RTCP packet (malformed length fields, unexpected compound structures, or crafted extension headers) is processed, the parser may read beyond allocated buffer boundaries, exposing adjacent memory containing call metadata, session tokens, user identifiers, or other sensitive call-state information. The vulnerability affects IMS protocol stacks across multiple vendors' implementations (Huawei, Nokia, Ericsson telecom infrastructure and chipset manufacturers), though specific CPE identifiers would be needed to pinpoint exact product versions and SKUs.
Affected Products
IMS call control and RTP processing implementations in: (1) Telecom Infrastructure—Huawei IMS core (P/I/S-CSCF), Nokia NSN IMS, Ericsson Communication Manager IMS subsystems; (2) Mobile Device Chipsets—Qualcomm Snapdragon modems with IMS stack (X55, X65 series likely affected), MediaTek Dimensity IMS components; (3) Enterprise VoWiFi implementations—Cisco IMS, Mavenir cloud-native IMS. Specific affected versions require vendor advisories; expected scope includes implementations released 2018-2023 that predate RTCP validation hardening. No detailed CPE strings are provided in the stated data, but typical CPE format would be: cpe:2.3:a:vendor:ims_product:version:*:*:*:*:*:*:* for affected telecom vendors. End users affected include: mobile subscribers using VoLTE on affected carrier networks, enterprise users on VoWiFi-enabled networks, and IoT devices with IMS connectivity.
Remediation
Immediate mitigation: (1) Implement network-layer ingress filtering to block RTCP packets with invalid structures at the RAN/core boundary using DPI rules that validate RFC 3550 compliance; (2) Deploy RTCP packet sanitization middleware that performs strict bounds-checking before passing to IMS stack. Long-term fixes: (1) Apply vendor-specific security patches (contact Huawei/Nokia/Ericsson for CVE-2024-53026 advisories); (2) Upgrade to patched IMS core versions once available (typically designated as security-focused minor versions, e.g., 15.1.1 SP5 with security fixes); (3) For device chipsets, push OTA modem firmware updates from device manufacturers (Samsung, Google, OnePlus, etc.). Validate patches by testing with fuzzed RTCP packets using tools like radamsa or custom RTCP fuzzers to confirm bounds-checking is enforced. No public workarounds exist; patching is the only mitigation.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today