CVE-2024-49845 is a vulnerability identified in Qualcomm Snapdragon chipsets and associated wireless connectivity products, stemming from improper input validation (CWE-20) during the Frame Request Service (FRS) UDS (Unified Diagnostic Services) generation process. This flaw leads to memory corruption, which can be exploited by an attacker with local privileges to execute arbitrary code or cause denial of service. The vulnerability affects a wide array of Qualcomm products, including numerous Snapdragon mobile platforms (e.g., Snapdragon 8 Gen 1, 8 Gen 3, 865, 888 series), FastConnect wireless subsystems, modem-RF systems, and various connectivity modules (WCD, WCN, QCA series). The CVSS v3.1 score of 7.8 reflects high severity, with attack vector local (AV:L), low attack complexity (AC:L), requiring privileges (PR:L), no user interaction (UI:N), and impacts on confidentiality, integrity, and availability (C:H/I:H/A:H). The flaw arises from insufficient validation of inputs during the FRS UDS generation, a diagnostic process used for device communication and testing, leading to memory corruption vulnerabilities exploitable by privileged local attackers. Although no known exploits are reported in the wild, the broad product impact and potential for privilege escalation or system compromise make this a critical concern for device manufacturers and users. Qualcomm has not yet published patches, but mitigation will require firmware updates and enhanced input validation controls in the affected components.

The vulnerability allows attackers with local privileges to cause memory corruption, potentially leading to arbitrary code execution, privilege escalation, or denial of service on affected devices. Given the extensive list of impacted Qualcomm Snapdragon platforms and wireless modules, the threat spans mobile phones, tablets, IoT devices, automotive systems, and compute platforms that rely on these chipsets. Exploitation could compromise device confidentiality by leaking sensitive data, integrity by altering system behavior, and availability by crashing critical services. This could lead to unauthorized access, persistent malware installation, or disruption of critical communications, especially in connected vehicles or industrial IoT deployments. The broad market penetration of Qualcomm Snapdragon products means a large global user base is at risk, including consumers, enterprises, and critical infrastructure sectors. The requirement for local privileges limits remote exploitation but does not eliminate risk, as attackers could leverage other vulnerabilities or social engineering to gain initial access. The absence of known exploits in the wild provides a window for proactive mitigation before widespread attacks occur.

Organizations and device manufacturers should prioritize the deployment of firmware and software updates from Qualcomm as soon as patches become available. In the interim, restrict local access to devices and enforce strict access controls to limit potential attackers from gaining the required privileges. Implement runtime protections such as memory corruption mitigations (e.g., DEP, ASLR) where supported by the platform. Conduct thorough input validation and sanitization in diagnostic and communication processes to prevent malformed inputs from triggering memory corruption. For device manufacturers, review and harden the FRS UDS generation code and related diagnostic interfaces to ensure robust input handling. Employ endpoint security solutions to detect anomalous local activity indicative of exploitation attempts. For critical environments like automotive or industrial IoT, consider network segmentation and device isolation to reduce attack surface. Monitor vendor advisories and threat intelligence feeds for updates on exploit developments and patch releases. Finally, educate users and administrators about the risks of granting local privileges and the importance of applying security updates promptly.