CVE-2024-49846: CWE-126 Buffer Over-read in Qualcomm, Inc. Snapdragon
Memory corruption while decoding of OTA messages from T3448 IE.
AI Analysis
Technical Summary
CVE-2024-49846 is a high-severity vulnerability identified in multiple Qualcomm Snapdragon components, including various modem, RF, and wearable platform chipsets. The root cause is a buffer over-read (CWE-126) occurring during the decoding of over-the-air (OTA) messages specifically from the T3448 Information Element (IE). This memory corruption flaw allows an attacker to craft malicious OTA messages that, when processed by affected Snapdragon devices, can cause the device to read beyond the allocated buffer boundaries. The vulnerability has a CVSS 3.1 base score of 8.2, indicating a high severity level. The vector string (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L) shows that the attack can be performed remotely over the network without any privileges or user interaction, affecting confidentiality with high impact, while integrity is not impacted and availability impact is low. The affected products span a wide range of Qualcomm chipsets used in smartphones, automotive systems, wearables, and IoT devices. Exploitation could lead to unauthorized disclosure of sensitive information stored or processed on the device due to memory disclosure. Although no known exploits are currently reported in the wild, the ease of remote exploitation and the broad deployment of affected Snapdragon components make this a significant threat. The lack of available patches at the time of publication increases the urgency for mitigation and monitoring. This vulnerability highlights the risks inherent in OTA message processing, a critical function for device updates and network communications, emphasizing the need for robust input validation and memory safety in embedded firmware components.
Potential Impact
For European organizations, the impact of CVE-2024-49846 could be substantial given the widespread use of Qualcomm Snapdragon chipsets in consumer mobile devices, automotive telematics, and wearable technologies. Confidentiality breaches could expose sensitive corporate or personal data, especially in sectors relying heavily on mobile communications and connected devices, such as finance, healthcare, and automotive industries. The vulnerability’s remote exploitability without user interaction means attackers could potentially target devices en masse via network-based attacks, increasing the risk of large-scale data leakage or espionage. Automotive systems using affected Snapdragon Auto 5G Modem-RF Gen 2 components could face risks related to vehicle telematics and safety-critical communications, potentially impacting operational integrity and user privacy. Wearable platforms like Snapdragon W5+ Gen 1 could expose personal health data. Although the availability impact is low, the confidentiality breach alone could lead to regulatory non-compliance under GDPR and other data protection laws, resulting in legal and financial repercussions for European entities. The absence of known exploits currently provides a window for proactive defense, but also means organizations must act swiftly to prevent future exploitation.
Mitigation Recommendations
Given the absence of patches at the time of disclosure, European organizations should implement layered mitigations. Network-level filtering should be applied to scrutinize and block suspicious OTA message traffic, particularly targeting the T3448 IE format, using advanced intrusion detection and prevention systems (IDS/IPS) capable of deep packet inspection. Device manufacturers and service providers should be engaged to prioritize firmware updates and patches for affected Snapdragon components. Organizations should enforce strict network segmentation to isolate critical systems using vulnerable chipsets from untrusted networks. Monitoring and anomaly detection should be enhanced to identify unusual OTA message patterns or device behavior indicative of exploitation attempts. For automotive and IoT deployments, secure update mechanisms and device attestation should be verified to prevent unauthorized OTA message injection. Additionally, organizations should review and tighten access controls on network interfaces that process OTA messages. End-user awareness campaigns can help mitigate risks by encouraging timely device updates once patches become available. Finally, collaboration with telecom providers to detect and mitigate malicious OTA message broadcasts at the network infrastructure level can provide an additional protective layer.
Affected Countries
Germany, France, United Kingdom, Italy, Spain, Netherlands, Sweden, Finland, Belgium, Poland
CVE-2024-49846: CWE-126 Buffer Over-read in Qualcomm, Inc. Snapdragon
Description
Memory corruption while decoding of OTA messages from T3448 IE.
AI-Powered Analysis
Technical Analysis
CVE-2024-49846 is a high-severity vulnerability identified in multiple Qualcomm Snapdragon components, including various modem, RF, and wearable platform chipsets. The root cause is a buffer over-read (CWE-126) occurring during the decoding of over-the-air (OTA) messages specifically from the T3448 Information Element (IE). This memory corruption flaw allows an attacker to craft malicious OTA messages that, when processed by affected Snapdragon devices, can cause the device to read beyond the allocated buffer boundaries. The vulnerability has a CVSS 3.1 base score of 8.2, indicating a high severity level. The vector string (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L) shows that the attack can be performed remotely over the network without any privileges or user interaction, affecting confidentiality with high impact, while integrity is not impacted and availability impact is low. The affected products span a wide range of Qualcomm chipsets used in smartphones, automotive systems, wearables, and IoT devices. Exploitation could lead to unauthorized disclosure of sensitive information stored or processed on the device due to memory disclosure. Although no known exploits are currently reported in the wild, the ease of remote exploitation and the broad deployment of affected Snapdragon components make this a significant threat. The lack of available patches at the time of publication increases the urgency for mitigation and monitoring. This vulnerability highlights the risks inherent in OTA message processing, a critical function for device updates and network communications, emphasizing the need for robust input validation and memory safety in embedded firmware components.
Potential Impact
For European organizations, the impact of CVE-2024-49846 could be substantial given the widespread use of Qualcomm Snapdragon chipsets in consumer mobile devices, automotive telematics, and wearable technologies. Confidentiality breaches could expose sensitive corporate or personal data, especially in sectors relying heavily on mobile communications and connected devices, such as finance, healthcare, and automotive industries. The vulnerability’s remote exploitability without user interaction means attackers could potentially target devices en masse via network-based attacks, increasing the risk of large-scale data leakage or espionage. Automotive systems using affected Snapdragon Auto 5G Modem-RF Gen 2 components could face risks related to vehicle telematics and safety-critical communications, potentially impacting operational integrity and user privacy. Wearable platforms like Snapdragon W5+ Gen 1 could expose personal health data. Although the availability impact is low, the confidentiality breach alone could lead to regulatory non-compliance under GDPR and other data protection laws, resulting in legal and financial repercussions for European entities. The absence of known exploits currently provides a window for proactive defense, but also means organizations must act swiftly to prevent future exploitation.
Mitigation Recommendations
Given the absence of patches at the time of disclosure, European organizations should implement layered mitigations. Network-level filtering should be applied to scrutinize and block suspicious OTA message traffic, particularly targeting the T3448 IE format, using advanced intrusion detection and prevention systems (IDS/IPS) capable of deep packet inspection. Device manufacturers and service providers should be engaged to prioritize firmware updates and patches for affected Snapdragon components. Organizations should enforce strict network segmentation to isolate critical systems using vulnerable chipsets from untrusted networks. Monitoring and anomaly detection should be enhanced to identify unusual OTA message patterns or device behavior indicative of exploitation attempts. For automotive and IoT deployments, secure update mechanisms and device attestation should be verified to prevent unauthorized OTA message injection. Additionally, organizations should review and tighten access controls on network interfaces that process OTA messages. End-user awareness campaigns can help mitigate risks by encouraging timely device updates once patches become available. Finally, collaboration with telecom providers to detect and mitigate malicious OTA message broadcasts at the network infrastructure level can provide an additional protective layer.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- qualcomm
- Date Reserved
- 2024-10-20T17:18:43.218Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682d981cc4522896dcbda40c
Added to database: 5/21/2025, 9:08:44 AM
Last enriched: 7/5/2025, 5:56:03 PM
Last updated: 7/26/2025, 6:21:52 AM
Views: 11
Related Threats
CVE-2025-8314: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in emarket-design Project Management, Bug and Issue Tracking Plugin – Software Issue Manager
MediumCVE-2025-8059: CWE-862 Missing Authorization in bplugins B Blocks – The ultimate block collection
CriticalCVE-2025-8690: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in addix Simple Responsive Slider
MediumCVE-2025-8688: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in ebernstein Inline Stock Quotes
MediumCVE-2025-8685: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in emilien Wp chart generator
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.