Multiple Vulnerabilities in Qualcomm DSP Driver Raise Security Concerns
2024-12-16
Google's Project Zero team discovered six vulnerabilities in a Qualcomm DSP driver, one of which was exploited in the wild. Analysis of kernel panic logs provided by Amnesty International, without access to the exploit sample itself, revealed the flaws. A code review uncovered multiple memory corruption vulnerabilities, including use-after-free and refcount leaks. The attacker likely leveraged these vulnerabilities with inotify_event_info object heap spraying to achieve code execution. This highlights the critical need for improved security in Android's third-party drivers.