CVE-2021-30326 in Snapdragon Autoinfo

Summary

by MITRE • 02/11/2022

Possible assertion due to improper size validation while processing the DownlinkPreemption IE in an RRC Reconfiguration/RRC Setup message in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Industrial IOT, Snapdragon Mobile

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 02/16/2022

The vulnerability identified as CVE-2021-30326 represents a critical assertion failure occurring within the Radio Resource Control (RRC) processing logic of Qualcomm Snapdragon automotive and mobile platform components. This issue manifests specifically during the handling of DownlinkPreemption information elements within RRC Reconfiguration or RRC Setup messages, indicating a fundamental flaw in how the system validates incoming packet sizes before processing. The vulnerability affects multiple Snapdragon product lines including automotive platforms, compute modules, connectivity solutions, industrial IoT devices, and mobile platforms, suggesting widespread exposure across Qualcomm's embedded systems portfolio.

The technical root cause stems from inadequate size validation mechanisms within the RRC message processing pipeline. When the system receives an RRC Reconfiguration or RRC Setup message containing a DownlinkPreemption IE, the processing routine fails to properly validate the expected size of the information element before attempting to parse its contents. This validation gap allows an attacker to craft malicious RRC messages with oversized or malformed DownlinkPreemption IEs that trigger assertion failures within the software stack. The assertion failure typically results in system crashes, process termination, or unexpected behavior that can disrupt normal communication flows and potentially create denial of service conditions.

The operational impact of this vulnerability extends beyond simple service disruption to encompass potential security compromise and system instability across automotive and industrial environments. In automotive applications, this vulnerability could affect vehicle communication systems, potentially disrupting critical functions such as telematics, infotainment, or vehicle-to-everything communications. The vulnerability's presence in Snapdragon Auto platforms specifically raises concerns about connected vehicle security and the potential for attackers to exploit this weakness to gain control over vehicle communication systems. Industrial IoT deployments using Snapdragon Industrial IOT components may experience unexpected system failures that could impact operational continuity and safety-critical processes.

Mitigation strategies for this vulnerability should focus on implementing robust size validation checks within the RRC processing stack, ensuring that all information elements are properly validated against expected size parameters before parsing operations begin. System updates and patches should be deployed immediately to address the validation logic flaws, with particular attention to the DownlinkPreemption IE handling within RRC messages. Network monitoring solutions should be enhanced to detect anomalous RRC message patterns that might indicate exploitation attempts, while implementing rate limiting and message filtering mechanisms to prevent malformed packets from reaching vulnerable processing components. The vulnerability aligns with CWE-129 and CWE-704 categories related to improper input validation and incorrect behavior ordering, and represents a potential entry point for adversaries following ATT&CK techniques targeting communication protocols and system stability. Organizations should conduct thorough vulnerability assessments across their Snapdragon-based deployments and implement continuous monitoring to detect potential exploitation attempts.

Responsible

Qualcomm, Inc.

Reservation

04/07/2021

Disclosure

02/11/2022

Moderation

accepted

CPE

ready

EPSS

0.00568

KEV

no

Activities

very low

Sources

Might our Artificial Intelligence support you?

Check our Alexa App!