CVE-2024-23351 is a vulnerability classified under CWE-284 (Improper Access Control) affecting Qualcomm Snapdragon platforms. The flaw arises because GPU registers beyond the last protected range can be accessed through LPAC (Low Power Audio Codec) submissions, leading to memory corruption. This improper access control allows an attacker with local access to the device to manipulate GPU registers in a way that corrupts memory, potentially enabling arbitrary code execution, privilege escalation, or denial of service. The vulnerability impacts a broad spectrum of Qualcomm products, including numerous Snapdragon mobile platforms (from Snapdragon 4 Gen 1 to Snapdragon 8+ Gen 2), FastConnect wireless subsystems, robotics platforms, video collaboration platforms, and various chipsets (QCA, QCM, QCS series). The CVSS v3.1 score is 8.4 (high), with an attack vector of local (AV:L), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), and full impact on confidentiality, integrity, and availability (C:H/I:H/A:H). This means an attacker with local access can exploit the vulnerability without needing elevated privileges or user interaction, making it particularly dangerous in environments where physical or local access is possible. No known exploits have been reported in the wild yet, and Qualcomm has not published patches at the time of this report. The vulnerability was reserved in January 2024 and published in May 2024. The root cause is the lack of proper boundary checks or access control on GPU registers accessed via LPAC submissions, which should have been protected. This flaw can be leveraged to corrupt memory, potentially leading to system instability, data leakage, or execution of malicious code within the affected device's context.

For European organizations, the impact of CVE-2024-23351 can be significant, especially those relying on Snapdragon-based devices for mobile communications, IoT, robotics, or video collaboration. Confidentiality risks include unauthorized access to sensitive data processed or stored on affected devices. Integrity risks involve potential manipulation or corruption of data and system states, while availability risks stem from possible device crashes or denial of service caused by memory corruption. The vulnerability's exploitation could lead to local privilege escalation, enabling attackers to gain deeper access to corporate networks or critical infrastructure. Industries such as telecommunications, manufacturing (robotics), healthcare (wearables), and government agencies using Snapdragon-powered devices could face operational disruptions or data breaches. The requirement for local access somewhat limits remote exploitation but does not eliminate risk in scenarios where devices are shared, lost, or accessed by malicious insiders. The absence of patches increases exposure time, and the broad range of affected products means many devices in use across Europe are potentially vulnerable.

1. Monitor Qualcomm and device vendors for official patches or firmware updates addressing CVE-2024-23351 and apply them promptly once available. 2. Restrict physical and local access to devices containing affected Snapdragon platforms, enforcing strict access controls and user authentication. 3. Implement endpoint security solutions that can detect anomalous GPU or device behavior indicative of exploitation attempts. 4. For enterprise environments, enforce device usage policies that limit installation of untrusted applications or code that could leverage LPAC submissions to exploit the vulnerability. 5. Conduct regular security audits and penetration tests focusing on local privilege escalation vectors and GPU subsystem security. 6. Educate users about the risks of leaving devices unattended or accessible to unauthorized personnel. 7. Where possible, isolate critical systems from devices with affected Snapdragon platforms or use network segmentation to limit lateral movement post-exploitation. 8. Collaborate with vendors to obtain detailed technical guidance and participate in coordinated vulnerability disclosure programs to stay informed.