CVE-2022-22078 is a medium-severity vulnerability affecting multiple Qualcomm Snapdragon platforms, including Snapdragon Auto, Compute, Connectivity, Consumer IoT, Industrial IoT, Mobile, and Wearables. The root cause is an integer overflow or wraparound issue in the BOOT component when calculating partition sizes. Specifically, when the system requests the size of a particular partition, the calculation of the number of blocks suffers from an integer overflow, leading to incorrect size computations. This flaw can cause a denial of service (DoS) condition, as the BOOT process may fail or behave unexpectedly due to corrupted partition size information. The vulnerability affects a wide range of Qualcomm chipsets and modules, including but not limited to AQT1000, QCA series (e.g., QCA6174A, QCA6390), Snapdragon Mobile series (e.g., SD835, SD865 5G), and various WCD and WCN wireless components. The CVSS v3.1 base score is 4.6, indicating a medium severity level, with the vector AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. This means the attack requires physical proximity (e.g., local access or physical access), has low attack complexity, no privileges or user interaction required, and impacts availability only. No known exploits are reported in the wild, and no patches were linked in the provided data, suggesting that mitigation may rely on vendor updates or workarounds. The underlying weakness is classified under CWE-190 (Integer Overflow or Wraparound).

For European organizations, the impact of this vulnerability primarily concerns devices and systems using affected Qualcomm Snapdragon chipsets, especially in automotive, industrial IoT, consumer IoT, and mobile environments. The denial of service could disrupt critical operations in connected vehicles, industrial control systems, and IoT deployments, potentially leading to system downtime, loss of availability, and operational interruptions. In automotive contexts, this could affect vehicle boot processes or connectivity modules, impacting safety or telematics services. In industrial or consumer IoT, affected devices might become unresponsive or fail to boot properly, causing service outages. Although the vulnerability does not affect confidentiality or integrity, the availability impact can be significant in safety-critical or business-critical environments. The requirement for physical proximity or local access limits remote exploitation, but insider threats or physical access attacks remain a concern. Given the broad range of affected chipsets, organizations relying on Qualcomm hardware in embedded systems should assess their exposure carefully.

1. Inventory and identify all devices and systems using affected Qualcomm Snapdragon chipsets, especially in automotive, industrial IoT, and mobile deployments. 2. Engage with Qualcomm and device vendors to obtain and apply official firmware or software patches addressing CVE-2022-22078 as they become available. 3. Where patches are not yet available, implement physical security controls to restrict unauthorized physical access to devices, reducing the risk of local exploitation. 4. Monitor device behavior for signs of boot failures or unexpected reboots that could indicate exploitation attempts. 5. For automotive and industrial environments, incorporate redundancy and failover mechanisms to mitigate potential availability disruptions. 6. Collaborate with supply chain partners to ensure updated hardware or firmware is deployed in new device procurements. 7. Consider network segmentation and access controls to limit exposure of vulnerable devices to untrusted users, even locally. 8. Maintain up-to-date asset management and vulnerability scanning to track affected devices and remediation status.