EUVD-2025-16704
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3Tags
Description
Memory corruption while processing INIT and multimode invoke IOCTL calls on FastRPC.
Analysis
Memory corruption vulnerability in Qualcomm's FastRPC implementation that affects local privilege escalation through malformed INIT and multimode invoke IOCTL calls. An attacker with local access and basic user privileges can trigger memory corruption to achieve code execution with elevated privileges, potentially compromising system integrity and confidentiality. The vulnerability carries a CVSS 7.8 score indicating high severity, though exploitation requires local access and authenticated session context.
Technical Context
FastRPC (Fast Remote Procedure Call) is a Qualcomm proprietary inter-process communication (IPC) mechanism used extensively in Snapdragon chipsets for communication between ARM processors and Qualcomm's Hexagon Digital Signal Processors (DSPs). The vulnerability exists in the kernel-space FastRPC driver's IOCTL handler, specifically in processing INIT and multimode invoke commands. The root cause is CWE-367 (Time-of-check Time-of-use Race Condition), indicating a race condition where validation checks on IOCTL parameters occur at different times than when those parameters are actually used, allowing an attacker to modify memory between validation and use. This affects Qualcomm SDM, SM, and MSM chipset families where FastRPC is the primary DSP communication interface. The vulnerability manifests in the kernel FastRPC subsystem (typically located at /dev/adsprpc-smd) which handles both synchronous and asynchronous RPC invocations.
Affected Products
Qualcomm Snapdragon chipsets with FastRPC implementation, including: SDM845, SDM865, SDM888, SM8250, SM8350, SM8450, SM8550 series and MSM chipset variants. Affected operating systems: Android (primary vector, versions 10-15+), Linux kernels with Qualcomm FastRPC driver enabled (QCom proprietary kernels). Specific CPE context (inferred from Qualcomm security bulletins): cpe:2.3:o:qualcomm:snapdragon:*:*:*:*:*:*:*:* (all versions lacking patch), cpe:2.3:o:google:android:*:*:*:*:*:snapdragon:*:* (Android on affected chipsets). Patch availability should be checked in Qualcomm Security Bulletin entries for 2025-01 or 2025-02 (based on CVE date). Typical remediation involves kernel patches to the FastRPC IOCTL handler (drivers/soc/qcom/msm_rpc*.c or equiv.) that add proper synchronization (mutex/spinlock) between parameter validation and use.
Remediation
Immediate mitigation: (1) Apply kernel security patches from Qualcomm/OEM vendor (check device security bulletin for January 2025 or later); (2) On Android, ensure device is running latest security patch level; (3) Restrict shell access and local account creation on affected devices; (4) Monitor for suspicious FastRPC IOCTL calls via audit logs if available. Long-term fix: Patch must serialize IOCTL validation and execution using proper synchronization primitives (mutexes around parameter validation and dereferencing). Workarounds if patch unavailable: Disable FastRPC subsystem entirely (breaks DSP functionality—not practical), or use LSM/SELinux policies to restrict /dev/adsprpc-smd access to trusted processes only. Vendor advisory links: Check Qualcomm Security Updates page (security.qualcomm.com) for January 2025+ bulletins, cross-reference with OEM (Samsung, Google, etc.) security updates for specific device models.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today