CVE-2024-21454 Overview
CVE-2024-21454 is a transient denial-of-service (DoS) vulnerability affecting Qualcomm automotive telematics components. The flaw occurs while decoding the ToBeSignedMessage structure used in Cellular Vehicle-to-Everything (C-V2X) communications. An attacker on the network can send a malformed signed message that triggers the condition, disrupting modem operation on affected automotive platforms.
Qualcomm addressed the issue in the April 2024 Security Bulletin. The vulnerability is tracked under [CWE-680] (Integer Overflow to Buffer Overflow) and [CWE-190] (Integer Overflow or Wraparound).
Critical Impact
Remote, unauthenticated attackers can trigger a transient DoS in C-V2X and automotive modem firmware, disrupting safety-critical vehicle communications.
Affected Products
- Qualcomm C-V2X 9150 and C-V2X 9150 firmware
- Qualcomm Auto 5G Modem-RF and Auto 5G Modem-RF firmware
- Qualcomm Auto 4G Modem and Auto 4G Modem firmware
Discovery Timeline
- 2024-04-01 - CVE-2024-21454 published to NVD
- 2024-04-01 - Qualcomm publishes April 2024 Security Bulletin with patch information
- 2025-01-13 - Last updated in NVD database
Technical Details for CVE-2024-21454
Vulnerability Analysis
The vulnerability resides in the decoder for the ToBeSignedMessage structure within Qualcomm's automotive telematics stack. C-V2X messages exchanged between vehicles and roadside infrastructure are wrapped in signed IEEE 1609.2 containers. The ToBeSignedMessage field holds the payload that is cryptographically signed before transmission.
When the decoder parses this field, an attacker-controlled length or count value is used in an arithmetic operation without proper bounds checking. The resulting integer overflow leads to undersized memory handling and downstream corruption ([CWE-680], [CWE-190]). The condition forces the affected modem firmware into a transient denial-of-service state, interrupting V2X message processing until the component recovers.
The vulnerability impacts availability only — confidentiality and integrity are not affected. However, in automotive telematics, loss of V2X availability can disable safety messages such as collision warnings and emergency vehicle alerts.
Root Cause
The root cause is unchecked arithmetic on length or count fields within the encoded message. The decoder trusts the size value embedded in the inbound message and performs allocation or indexing based on the overflowed result. This produces the integer-overflow-to-buffer-overflow pattern described in [CWE-680].
Attack Vector
The attack vector is network-based and requires no authentication or user interaction. An attacker within wireless range of an affected C-V2X or automotive modem device sends a crafted signed message containing malformed ToBeSignedMessage length fields. The decoder processes the attacker-supplied data before signature verification can reject malformed payloads, allowing the DoS to trigger remotely.
No public proof-of-concept exploit code is available. See the Qualcomm April 2024 Security Bulletin for vendor technical details.
Detection Methods for CVE-2024-21454
Indicators of Compromise
- Unexpected resets, crashes, or restarts of C-V2X 9150, Auto 5G, or Auto 4G modem firmware coinciding with inbound V2X traffic.
- Gaps in Basic Safety Message (BSM) or Cooperative Awareness Message (CAM) transmission logs from affected telematics units.
- Diagnostic Trouble Codes (DTCs) referencing telematics or V2X modem subsystem faults during operation.
Detection Strategies
- Monitor modem health telemetry for repeated decoder faults or watchdog-triggered restarts in the V2X stack.
- Correlate over-the-air message arrival timestamps with modem fault events to identify malformed signed-message patterns.
- Inspect IEEE 1609.2 message parsing logs for decoding errors on the ToBeSignedMessage field.
Monitoring Recommendations
- Enable verbose logging on C-V2X stacks during validation testing to capture decoder exceptions.
- Track firmware version inventory across fleet vehicles to confirm Qualcomm April 2024 patch deployment.
- Aggregate telematics-unit crash telemetry into a centralized SIEM or fleet management platform for trend analysis.
How to Mitigate CVE-2024-21454
Immediate Actions Required
- Inventory all vehicles and telematics control units (TCUs) using Qualcomm C-V2X 9150, Auto 5G Modem-RF, or Auto 4G Modem components.
- Coordinate with the vehicle OEM or Tier-1 supplier to obtain firmware updates that incorporate Qualcomm's April 2024 patches.
- Deploy firmware over-the-air (FOTA) updates to affected fleets as soon as validated builds are available.
Patch Information
Qualcomm released fixes in the April 2024 Security Bulletin. Patches must be integrated by OEMs and Tier-1 suppliers into their telematics firmware images before being delivered to end vehicles. Verify the patched firmware version with the device manufacturer before assuming remediation.
Workarounds
- No supported software workaround exists; firmware update is the only complete remediation.
- Where feasible, restrict or disable C-V2X functionality on impacted units until patched firmware is deployed.
- Apply network-layer filtering or rate-limiting at roadside units (RSUs) to reduce exposure to malformed signed messages.
# Example: query telematics modem firmware version for patch verification
adb shell getprop ro.vendor.modem.version
# Compare returned build identifier against the OEM-provided patched version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
