CVE-2021-35074 in Snapdragon Autoinfo

Summary

by MITRE • 02/11/2022

Possible integer overflow due to improper fragment datatype while calculating number of fragments in a request message in Snapdragon Auto, Snapdragon Connectivity, Snapdragon Industrial IOT, Snapdragon Mobile

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 02/16/2022

This vulnerability represents a critical integer overflow condition that occurs within the fragment processing logic of network communication protocols on Qualcomm Snapdragon chipsets. The flaw manifests when the system improperly handles fragment datatype calculations during request message processing, specifically in the context of determining the total number of fragments within a message. The vulnerability affects multiple Snapdragon product lines including automotive, connectivity, industrial iot, and mobile platforms, indicating a widespread impact across Qualcomm's embedded systems portfolio.

The technical root cause stems from inadequate input validation and arithmetic overflow handling within the fragment counting mechanism. When processing network requests that contain fragmented data, the system fails to properly validate the datatype used for fragment count calculations, leading to potential integer overflow conditions. This occurs because the system does not adequately check for boundary conditions or implement proper overflow detection mechanisms when computing fragment counts. The improper handling of fragment datatypes creates a scenario where maliciously crafted network requests could cause the fragment counter to wrap around or exceed maximum representable values, potentially leading to unpredictable behavior.

The operational impact of this vulnerability extends beyond simple denial of service conditions to potentially enable more sophisticated attack vectors. An attacker could exploit this weakness to manipulate fragment processing logic, potentially causing buffer overflows, memory corruption, or execution of arbitrary code within the affected systems. The vulnerability's presence across multiple Snapdragon product categories suggests that it could affect automotive systems, industrial IoT deployments, and mobile devices, creating widespread exposure across critical infrastructure and consumer electronics. This makes the vulnerability particularly concerning from a supply chain security perspective, as it affects foundational chipsets used in numerous devices.

Mitigation strategies should focus on implementing proper integer overflow detection mechanisms and strengthening input validation procedures within fragment processing code. Organizations should prioritize firmware updates from device manufacturers that address this vulnerability, while also implementing network segmentation and monitoring to detect potential exploitation attempts. The vulnerability aligns with CWE-190, which specifically addresses integer overflow conditions, and could potentially map to ATT&CK techniques related to privilege escalation and code execution through memory corruption vulnerabilities. Regular security assessments of embedded systems should include verification of fragment processing logic and proper datatype handling to prevent similar issues from emerging in future deployments.

Responsible

Qualcomm, Inc.

Reservation

06/21/2021

Disclosure

02/11/2022

Moderation

accepted

CPE

ready

EPSS

0.00188

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!