CVE-2024-33012 Overview
CVE-2024-33012 is a transient denial-of-service vulnerability affecting a broad range of Qualcomm WLAN firmware components. The flaw resides in the beacon frame parser when it processes multiple Multiple BSSID (MBSSID) Information Elements. When a beacon contains an MBSSID IE whose tag length is non-zero but the element extends past the end of the beacon, the parser performs an out-of-bounds memory access. The condition is reachable over the air without authentication and impacts hundreds of Snapdragon mobile, automotive, compute, IoT, and networking platforms.
Critical Impact
A nearby attacker broadcasting a malformed Wi-Fi beacon can trigger a transient denial of service on the WLAN subsystem of any vulnerable Qualcomm-powered device within range, disrupting wireless connectivity until recovery.
Affected Products
- Qualcomm Snapdragon mobile platforms (4 Gen 1/2, 480/695/778G/780G/782G, 8 Gen 1/2/3, 888) and modem-RF systems (Snapdragon X35/X62/X65/X72/X75 5G)
- Qualcomm WLAN connectivity SoCs including FastConnect 6200/6700/6900/7800, WCN3950/3980/3988/3990/6740, QCA6174A/6391/6574/6595/6696/6797AQ, and the QCA9377/9888/9984/9994 series
- Qualcomm networking and IoT firmware including IPQ4018–IPQ9574, QCN5022–QCN9274, QCS410–QCS8550, QCM4325–QCM8550, Robotics RB5, Flight RB5 5G, Immersive Home 214–326, and Vision Intelligence 400
Discovery Timeline
- 2024-08-05 - CVE-2024-33012 published to NVD
- August 2024 - Qualcomm publishes security bulletin and releases patches to OEMs
- 2024-11-26 - Last updated in NVD database
Technical Details for CVE-2024-33012
Vulnerability Analysis
The vulnerability is a buffer over-read in the WLAN host firmware that parses 802.11 beacon management frames. Beacon frames advertise the presence of an access point and carry a chain of Information Elements (IEs) using the Type-Length-Value format. The Multiple BSSID IE (element ID 71) allows a single physical AP to advertise multiple logical BSSes within one beacon. The parser walks the IE chain sequentially and trusts the length byte without validating that the IE body actually fits within the remaining beacon buffer. The flaw is tracked under CWE-126: Buffer Over-read and CWE-125: Out-of-Bounds Read.
Root Cause
The parser fails to enforce the invariant that ie_offset + 2 + ie_length <= beacon_end before dereferencing the IE body. When a crafted beacon contains an MBSSID IE with a non-zero tag length placed at the very end of the frame, the read advances beyond the allocated buffer. The unchecked read crashes the WLAN firmware task, producing a transient denial of service on the wireless subsystem.
Attack Vector
The attack is purely network-adjacent and requires no authentication, no user interaction, and no prior pairing. An attacker within Wi-Fi radio range broadcasts a malformed beacon frame containing a malformed MBSSID IE. Any vulnerable station performing passive scanning, active scanning, or background roaming will parse the beacon and trigger the fault. Because beacons are processed in monitor and connected states alike, mobile and IoT devices in normal operation are exposed. The impact is limited to availability — confidentiality and integrity are not affected — but the WLAN subsystem must reset to recover.
Detection Methods for CVE-2024-33012
Indicators of Compromise
- Unexpected WLAN firmware crashes, subsystem restarts (SSR), or repeated Wi-Fi reconnection cycles on Snapdragon-powered devices
- Kernel or cnss driver log entries referencing mbssid, beacon parse failures, or firmware ramdump events correlated with proximity to unknown SSIDs
- Presence of beacon frames advertising element ID 71 (MBSSID) where the declared tag length exceeds the remaining frame bytes
Detection Strategies
- Capture nearby 802.11 management traffic with a monitor-mode adapter and inspect MBSSID IEs for length fields that exceed frame_length - current_offset
- Correlate device telemetry showing Wi-Fi subsystem restarts with timestamps of suspicious beacon captures from the surrounding RF environment
- Deploy wireless intrusion detection sensors that flag malformed beacon frames and beacons originating from rogue BSSIDs in monitored facilities
Monitoring Recommendations
- Forward mobile device management (MDM) and EDR telemetry that reports WLAN driver crashes into your central logging platform for trend analysis
- Monitor enterprise wireless infrastructure for repeated beacon anomalies, especially in environments using Wi-Fi 6/6E where MBSSID is in active use
- Track Qualcomm security bulletin advisories and OEM patch propagation status for the fleet of mobile, IoT, and networking devices in scope
How to Mitigate CVE-2024-33012
Immediate Actions Required
- Inventory all devices containing affected Qualcomm chipsets, including handsets, laptops, automotive units, access points, and IoT gateways
- Apply OEM firmware and Android security updates that incorporate the Qualcomm August 2024 patch level as soon as vendor builds are available
- For fixed-location IoT and networking gear, prioritize patching units deployed in publicly accessible RF environments where rogue beacons are most likely
Patch Information
Qualcomm released fixes in the Qualcomm Security Bulletin August 2024. Patches are distributed to OEMs and integrated into device-specific firmware releases. Android device users should install the August 2024 (or later) Android security patch level. For networking SKUs (IPQ, QCN, QCA), apply the firmware update provided by the device manufacturer.
Workarounds
- Disable Wi-Fi on affected devices when operating in untrusted RF environments until patched firmware is deployed
- Restrict roaming and disable background Wi-Fi scanning on managed mobile devices through MDM policy where business requirements permit
- Deploy wireless intrusion prevention (WIPS) to identify and contain rogue access points broadcasting malformed beacons near sensitive sites
# Example: query installed Android security patch level via ADB
adb shell getprop ro.build.version.security_patch
# Expected output for a remediated device: 2024-08-01 or later
# Example: enforce Wi-Fi off via Android MDM policy (Android Enterprise)
# Set the following restriction on managed devices
DevicePolicyManager.addUserRestriction(admin, UserManager.DISALLOW_CONFIG_WIFI)
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
