CVE-2024-23358 Overview
CVE-2024-23358 is a transient denial-of-service vulnerability affecting Qualcomm modem firmware across a broad range of Snapdragon mobile platforms, automotive modems, and connectivity chipsets. The flaw triggers when the modem processes an over-the-air (OTA) registration accept message containing a malformed ciphering key data Information Element (IE). A network-adjacent attacker operating a rogue base station can transmit the crafted message to interrupt cellular service on the targeted device. The vulnerability is classified under CWE-126: Buffer Over-read, indicating improper bounds handling during IE parsing.
Critical Impact
Successful exploitation causes a transient denial of service in the cellular modem, disrupting voice and data connectivity on devices using affected Qualcomm chipsets.
Affected Products
- Qualcomm Snapdragon 8 Gen 3 Mobile Platform and Snapdragon 425/429/430/439 Mobile Platforms
- Qualcomm Snapdragon X72 5G and X75 5G Modem-RF Systems, and Snapdragon Auto 5G Modem-RF Gen 2
- Qualcomm FastConnect 7800, QCA/WCN/WCD/WSA connectivity firmware, and related platform firmware (APQ8017, MSM8108, SDM429W, SM8635, and others)
Discovery Timeline
- 2024-09-02 - CVE-2024-23358 published to NVD
- September 2024 - Qualcomm publishes the Qualcomm Security Bulletin September 2024
- 2025-10-03 - Last updated in NVD database
Technical Details for CVE-2024-23358
Vulnerability Analysis
The vulnerability resides in the Non-Access Stratum (NAS) layer of the Qualcomm modem firmware, specifically in the routine that parses the registration accept message during 5G/LTE registration procedures. When the modem receives this OTA message, it must decode several Information Elements (IEs), including the ciphering key data IE that carries security context parameters. A malformed length or structure in this IE causes the parser to read beyond the expected boundary of the IE buffer.
The resulting out-of-bounds read leads to a transient crash and restart of modem subsystems. During the recovery window, the device loses cellular connectivity. The attack does not require user interaction or authentication because registration messages are processed before mutual authentication completes in many code paths.
Root Cause
The root cause is improper validation of the length and contents of the ciphering key data IE inside the registration accept OTA message. The parser trusts attacker-controlled length fields and accesses memory past the legitimate IE payload, producing a buffer over-read consistent with [CWE-126].
Attack Vector
Exploitation requires network proximity. An attacker stands up a malicious gNodeB or eNodeB and induces the target device to attempt registration. The rogue base station then responds with a crafted registration accept containing the malformed ciphering key data IE. No credentials, user clicks, or pre-installed software are required on the victim device.
No public proof-of-concept code is available for this vulnerability. Refer to the Qualcomm Security Bulletin September 2024 for vendor-provided technical context.
Detection Methods for CVE-2024-23358
Indicators of Compromise
- Unexpected modem subsystem restarts or repeated cellular service drops on affected Snapdragon devices.
- Mobile device logs (logcat, diag traces, or carrier diagnostic logs) showing NAS parsing errors during registration procedures.
- Devices repeatedly attaching to an unfamiliar cell tower or base station with anomalous identifiers prior to connectivity loss.
Detection Strategies
- Monitor mobile device management (MDM) telemetry for elevated rates of modem crashes or radio resets across the fleet.
- Correlate clusters of affected devices in the same physical location to identify potential rogue base station activity.
- Compare device firmware build numbers against the patched versions listed in the Qualcomm September 2024 bulletin.
Monitoring Recommendations
- Aggregate device crash and reboot telemetry centrally and alert on spikes mapped to modem subsystem identifiers.
- Track cellular network registration failures by location and device model to surface localized denial-of-service patterns.
- Subscribe to Qualcomm and OEM (Samsung, Google, Xiaomi, etc.) security bulletins to confirm downstream patch availability.
How to Mitigate CVE-2024-23358
Immediate Actions Required
- Inventory all mobile, automotive, and IoT assets containing the Qualcomm chipsets listed in the affected products section.
- Apply OEM firmware updates that incorporate the Qualcomm September 2024 modem patches as soon as they are released by the device vendor.
- For high-risk users, restrict operations in untrusted RF environments where rogue base stations are plausible.
Patch Information
Qualcomm released fixes as part of the September 2024 security bulletin. Device manufacturers integrate these modem firmware updates into their monthly security patch level (SPL) releases. Review the Qualcomm Security Bulletin September 2024 and apply the corresponding OEM update for each affected device model.
Workarounds
- Disable 5G/LTE radios on critical devices when operating in environments where rogue base station activity is suspected.
- Enforce MDM policies that prefer Wi-Fi connectivity and disable automatic cellular reconnection on sensitive devices until patched.
- Use carrier-provided protections against false base stations where available, and validate that 5G standalone (SA) mutual authentication is enabled by the network operator.
# Configuration example: verify Android security patch level on managed devices
adb shell getprop ro.build.version.security_patch
# Expected: a date on or after the OEM release incorporating the
# Qualcomm September 2024 modem firmware fixes.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
