CVE-2024-33011 Overview
CVE-2024-33011 is a denial-of-service vulnerability affecting a wide range of Qualcomm WLAN firmware components. The flaw resides in the parsing logic that handles the Multiple BSSID (MBSSID) Information Element (IE) within 802.11 beacon frames. When a beacon contains an MBSSID IE with a length of zero, the firmware mishandles the malformed element and enters a transient denial-of-service condition. The issue is tracked under [CWE-126] (Buffer Over-read) and [CWE-125] (Out-of-bounds Read). An unauthenticated attacker within wireless range can trigger the condition by broadcasting crafted beacon frames, affecting Snapdragon mobile platforms, FastConnect modules, IPQ networking SoCs, automotive platforms, and many other Qualcomm wireless products.
Critical Impact
A remote, unauthenticated attacker within radio range can trigger a transient denial of service on affected Qualcomm wireless chipsets by transmitting a crafted beacon frame with a zero-length MBSSID IE.
Affected Products
- Qualcomm Snapdragon mobile platforms (Snapdragon 8 Gen 1/2/3, 8+ Gen 1/2, 888/888+, 780G, 778G, 695, 680, 662, 480, 460, 4 Gen 1/2)
- Qualcomm FastConnect 6200/6700/6900/7800 connectivity modules and WCN/WCD/WSA series wireless components
- Qualcomm IPQ networking SoCs (IPQ4018–IPQ9574), QCA Wi-Fi chipsets, and automotive/IoT platforms (SA8xxx, QCS, QCN, QCM, Robotics RB5)
Discovery Timeline
- 2024-08-05 - CVE-2024-33011 published to NVD
- 2024-08-05 - Qualcomm publishes August 2024 Security Bulletin addressing the issue
- 2024-11-26 - Last updated in NVD database
Technical Details for CVE-2024-33011
Vulnerability Analysis
The vulnerability exists in the WLAN firmware routine responsible for parsing the Multiple BSSID Information Element carried inside 802.11 beacon frames. MBSSID IEs allow a single physical access point to advertise multiple virtual BSSIDs by nesting sub-elements within the beacon. The Qualcomm firmware parser does not adequately validate the length field of the MBSSID IE before iterating over its contents. When the length field is set to zero, the parser performs an out-of-bounds read operation on adjacent memory. This out-of-bounds access produces undefined behavior in the WLAN subsystem and forces the firmware into a transient unavailable state, interrupting wireless connectivity until the subsystem recovers or restarts.
Root Cause
The defect is a missing boundary check on the MBSSID IE length field during beacon parsing. The CWE-126 (Buffer Over-read) and CWE-125 (Out-of-bounds Read) classifications indicate the parser reads beyond the validated extent of the element when the declared length is zero, dereferencing memory the firmware does not own within the IE buffer.
Attack Vector
Exploitation is conducted over the air. An attacker within wireless range of a vulnerable device broadcasts beacon frames containing a malformed MBSSID IE with a length value of zero. No authentication or user interaction is required because beacons are processed by client devices during normal scanning and association procedures. The result is a transient denial of service affecting the WLAN subsystem of any device within reception range.
// Conceptual structure of a malformed MBSSID IE triggering the flaw
// Element ID: 71 (Multiple BSSID)
// Length: 0x00 <-- malformed: zero length bypasses bounds check
// Sub-elements follow but parser reads past validated region
//
// See Qualcomm August 2024 Security Bulletin for technical details.
Detection Methods for CVE-2024-33011
Indicators of Compromise
- Unexpected WLAN subsystem restarts, watchdog resets, or firmware crash logs on Qualcomm-based devices
- Repeated, unexplained disconnections from Wi-Fi networks affecting multiple devices simultaneously in the same coverage area
- Presence of beacon frames in wireless captures containing MBSSID IE (Element ID 71) with a length field of zero
Detection Strategies
- Monitor wireless intrusion detection systems (WIDS) for beacon frames containing malformed MBSSID Information Elements
- Use packet captures (Wireshark, tcpdump with monitor mode) and filter on wlan.tag.number == 71 combined with zero-length values to identify hostile beacons
- Correlate device-side WLAN driver crash telemetry with environmental wireless captures to confirm beacon-induced fault patterns
Monitoring Recommendations
- Deploy WIDS/WIPS sensors in environments with high concentrations of Qualcomm-based mobile, IoT, or automotive endpoints
- Track firmware crash counters and wlan subsystem restart events through endpoint telemetry and MDM platforms
- Maintain RF-environment baselines so anomalous beacon activity from rogue or spoofed access points can be flagged for investigation
How to Mitigate CVE-2024-33011
Immediate Actions Required
- Apply Qualcomm's August 2024 security patches through the relevant OEM firmware update channels for all affected platforms
- Inventory devices that incorporate the listed Qualcomm chipsets (Snapdragon, FastConnect, WCN, WCD, WSA, IPQ, QCA, QCN, QCM, SA series) and prioritize update deployment
- Coordinate with mobile OEMs, automotive vendors, and IoT integrators to obtain downstream firmware containing the fix
Patch Information
Qualcomm addressed CVE-2024-33011 in its August 2024 Security Bulletin. Patched firmware is distributed to OEMs and customers who must then issue downstream updates for handsets, networking equipment, automotive platforms, and IoT devices. Refer to the Qualcomm August 2024 Security Bulletin for the complete list of fixed components and OEM guidance.
Workarounds
- Where patching is not yet possible, reduce wireless attack surface by disabling Wi-Fi on non-essential devices in untrusted RF environments
- Operate sensitive Qualcomm-based devices in controlled wireless environments and restrict client scanning to known SSIDs where the operating system supports it
- Deploy wireless intrusion prevention to identify and contain rogue access points broadcasting malformed beacon frames
# Example: capture suspicious MBSSID beacons for analysis (Linux, monitor mode)
sudo iw dev wlan0 set type monitor
sudo ip link set wlan0 up
sudo tcpdump -i wlan0 -w mbssid_beacons.pcap \
'type mgt subtype beacon'
# Then inspect in Wireshark with display filter:
# wlan.tag.number == 71 && wlan.tag.length == 0
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
