CVE-2024-23351 is a vulnerability classified under CWE-284 (Improper Access Control) discovered in Qualcomm Snapdragon platforms. The flaw arises because GPU registers beyond the last protected range can be accessed improperly through LPAC (Low Power Audio Codec) submissions, leading to memory corruption. This improper access control allows an attacker to manipulate GPU registers that should be off-limits, potentially enabling arbitrary code execution or escalation of privileges within the device. The affected products include a broad spectrum of Qualcomm Snapdragon SoCs and platforms, spanning mobile platforms (e.g., Snapdragon 8 Gen 1/2/3, Snapdragon 4 Gen 1/2), wearable platforms (Snapdragon W5+ Gen 1), robotics platforms, video collaboration platforms, and various FastConnect wireless subsystems. The vulnerability is exploitable without requiring any privileges (PR:N) or user interaction (UI:N), and the attack vector is local (AV:L), meaning the attacker needs local access to the device. The CVSS v3.1 score is 8.4 (high), reflecting the critical impact on confidentiality, integrity, and availability. No patches or exploits are currently publicly available, but the vulnerability's nature suggests that exploitation could lead to severe consequences such as device compromise, data leakage, or denial of service. The vulnerability was published on May 6, 2024, with Qualcomm as the assigner. The root cause is a failure in enforcing access control boundaries on GPU registers during LPAC submissions, indicating a design or implementation flaw in the GPU driver or firmware. This vulnerability affects a wide range of devices globally, including smartphones, IoT devices, and embedded systems using Qualcomm Snapdragon components.

For European organizations, the impact of CVE-2024-23351 is significant due to the widespread use of Qualcomm Snapdragon platforms in mobile devices, IoT, robotics, and embedded systems. Confidentiality could be compromised if attackers gain unauthorized access to sensitive data processed or stored on affected devices. Integrity risks include the potential for attackers to execute arbitrary code or manipulate device operations, which could disrupt business processes or enable further lateral movement within networks. Availability could also be affected if exploitation leads to system crashes or denial of service conditions. Critical sectors such as telecommunications, manufacturing (robotics), healthcare (wearables and medical devices), and government agencies relying on Snapdragon-based devices are particularly vulnerable. The local attack vector means that attackers need some form of local access, which could be achieved through physical access, compromised applications, or malware. The absence of required privileges or user interaction lowers the barrier for exploitation once local access is obtained. This vulnerability could also undermine trust in mobile communications and IoT deployments, impacting compliance with European data protection regulations (e.g., GDPR) if data breaches occur. The lack of known exploits in the wild provides a window for mitigation, but the broad device coverage necessitates urgent action to prevent potential attacks.

Mitigation of CVE-2024-23351 requires a multi-layered approach beyond generic patching advice. First, organizations should engage with device manufacturers and Qualcomm to obtain and deploy firmware and driver updates as soon as they become available. Until patches are released, restricting local access to devices is critical; this includes enforcing strict physical security controls and limiting the installation of untrusted applications that could exploit the vulnerability. Monitoring GPU-related system calls and LPAC submission activities for anomalies can help detect exploitation attempts. Employing endpoint detection and response (EDR) solutions capable of identifying unusual GPU register access patterns is recommended. For IoT and embedded systems, network segmentation and strict access controls can reduce the risk of local exploitation spreading laterally. Organizations should also review and harden device configurations to minimize unnecessary services and interfaces that could provide local access. Security teams should prepare incident response plans specific to GPU-related exploits and educate users about the risks of unauthorized device access. Finally, collaboration with industry groups and sharing threat intelligence related to this vulnerability will enhance collective defense.