Qualcomm Snapdragon Auto up to WSA8845H UE improper authentication

Summaryinfo

A vulnerability marked as critical has been reported in Qualcomm Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon MDM, Snapdragon Mobile, Snapdragon WBC and Snapdragon Wearables. Affected by this vulnerability is an unknown functionality of the component UE. Performing a manipulation results in improper authentication. This vulnerability is known as CVE-2024-38426. Access to the local network is required for this attack. No exploit is available. It is suggested to upgrade the affected component.

Detailsinfo

A vulnerability, which was classified as critical, was found in Qualcomm Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon MDM, Snapdragon Mobile, Snapdragon WBC and Snapdragon Wearables. This affects an unknown code of the component UE. The manipulation with an unknown input leads to a improper authentication vulnerability. CWE is classifying the issue as CWE-287. When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct. This is going to have an impact on confidentiality, integrity, and availability. The summary by CVE is:

While processing the authentication message in UE, improper authentication may lead to information disclosure.

It is possible to read the advisory at docs.qualcomm.com. This vulnerability is uniquely identified as CVE-2024-38426 since 06/16/2024. The exploitability is told to be easy. The attack needs to be initiated within the local network. No form of authentication is needed for exploitation. The technical details are unknown and an exploit is not publicly available. The pricing for an exploit might be around USD $0-$5k at the moment (estimation calculated on 08/11/2025).

Upgrading eliminates this vulnerability.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Productinfo

Type

• Chip Software

Vendor

• Qualcomm

Name

• Snapdragon Auto
• Snapdragon Compute
• Snapdragon Consumer IOT
• Snapdragon Industrial IOT
• Snapdragon MDM
• Snapdragon Mobile
• Snapdragon WBC
• Snapdragon Wearables

Version

• 210 Processor
• AR8035
• CSRA6620
• CSRA6640
• CSRB31024
• FastConnect 6200
• FastConnect 6700
• FastConnect 6800
• FastConnect 6900
• FastConnect 7800
• MDM9205S
• MDM9628
• MDM9640
• MSM8996AU
• QCA4004
• QCA6174A
• QCA6310
• QCA6320
• QCA6391
• QCA6564A
• QCA6564AU
• QCA6574A
• QCA6574AU
• QCA6584
• QCA6584AU
• QCA6595AU
• QCA6696
• QCA6698AQ
• QCA8081
• QCA8337
• QCA9367
• QCA9377
• QCC710
• QCC711
• QCM2150
• QCM2290
• QCM4290
• QCM4325
• QCM4490
• QCM6125
• QCN6024
• QCN6224
• QCN6274
• QCN9024
• QCS410
• QCS610
• QCS2290
• QCS4290
• QCS4490
• QCS6125
• QEP8111
• QFW7114
• QFW7124
• QTS110
• SD 675
• SD675
• SD730
• SD835
• SDM429W
• SDX55
• SDX57M
• SDX61
• SDX71M
• SDX80M
• SG4150P
• SM6650
• SM7250P
• SM7635
• SM7675
• SM7675P
• SM8635
• SM8635P
• SM8650Q
• SW5100
• SW5100P
• WCD9306
• WCD9326
• WCD9330
• WCD9335
• WCD9340
• WCD9341
• WCD9370
• WCD9371
• WCD9375
• WCD9378
• WCD9380
• WCD9385
• WCD9390
• WCD9395
• WCN3610
• WCN3615
• WCN3620
• WCN3660B
• WCN3680
• WCN3680B
• WCN3910
• WCN3950
• WCN3980
• WCN3988
• WCN3990
• WCN6450
• WCN6650
• WCN6755
• WCN7861
• WCN7881
• WSA8810
• WSA8815
• WSA8830
• WSA8832
• WSA8835
• WSA8840
• WSA8845
• WSA8845H

License

• commercial

Website

• Vendor: https://www.qualcomm.com/

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Discussion