Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2024-38404

CVE-2024-38404: Qualcomm Ar8035 Firmware DOS Vulnerability

CVE-2024-38404 is a denial of service flaw in Qualcomm Ar8035 Firmware caused by improper ciphering key handling in modem registration. This article covers the technical details, affected versions, and mitigation.

Published:

CVE-2024-38404 Overview

CVE-2024-38404 is a transient denial-of-service (DoS) vulnerability affecting numerous Qualcomm modem, Wi-Fi, audio, and connectivity firmware components. The flaw triggers when a registration accept Over-The-Air (OTA) message is received containing an incorrect ciphering key data Information Element (IE). Improper parsing of the malformed IE causes an out-of-bounds memory read in the modem, resulting in a temporary loss of cellular service availability. The issue is categorized under [CWE-125] Out-of-Bounds Read and [CWE-126] Buffer Over-read.

Critical Impact

A network-adjacent attacker capable of delivering a crafted registration accept OTA message can disrupt modem availability across a broad range of Snapdragon-based mobile, automotive, wearable, and IoT devices without authentication or user interaction.

Affected Products

  • Qualcomm Snapdragon 8 Gen 3 Mobile, Snapdragon 429 Mobile, and Snapdragon Wear 4100+ platforms
  • Qualcomm Snapdragon X72 5G and X75 5G Modem-RF Systems, and Snapdragon Auto 5G Modem-RF Gen 2
  • Qualcomm FastConnect 7800, QCA6584AU, QCA6698AQ, QCN6274, WCN3980, WCN6755, and related Wi-Fi/connectivity firmware

Discovery Timeline

  • 2025-02-03 - CVE-2024-38404 published to NVD
  • February 2025 - Qualcomm publishes February 2025 Security Bulletin with patches
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2024-38404

Vulnerability Analysis

The vulnerability resides in the modem's Non-Access Stratum (NAS) message handling, specifically in the routine that parses the registration accept OTA message during 5G/LTE attach procedures. When the ciphering key data Information Element contains malformed length or content fields, the modem reads memory beyond the bounds of the allocated IE buffer. This out-of-bounds read produces a transient denial of service: the modem firmware enters an error state and drops cellular connectivity until it recovers or restarts.

The attack vector is network-based and requires no privileges or user interaction. Exploitation results in availability impact only — there is no confidentiality or integrity loss because the read does not return data to the attacker.

Root Cause

The root cause is missing or insufficient bounds validation when the modem deserializes the ciphering key data IE within a registration accept message. The parser trusts attacker-influenced length or offset fields and dereferences memory outside the IE structure, classified under [CWE-125] and [CWE-126].

Attack Vector

An attacker positioned to deliver malicious NAS signaling — for example, via a rogue base station, false base station, or compromised core network element — sends a registration accept OTA message containing a malformed ciphering key data IE. The target device's modem processes the IE during the registration procedure, triggering the out-of-bounds read and the transient DoS. Detailed exploitation specifics are not publicly disclosed; refer to the Qualcomm February 2025 Security Bulletin for further technical context.

Detection Methods for CVE-2024-38404

Indicators of Compromise

  • Unexpected modem resets, baseband crashes, or sudden loss of cellular registration on Snapdragon devices in a localized area
  • Repeated failed registration accept exchanges in operator core network logs originating from a small cell footprint
  • Presence of unauthorized or unexpected base stations broadcasting in proximity to affected devices

Detection Strategies

  • Monitor mobile device management (MDM) telemetry for clusters of modem crash reports or baseband ramdumps correlated by location
  • Correlate carrier-side NAS signaling anomalies, particularly malformed registration accept messages, with downstream device disconnects
  • Track firmware version inventory against Qualcomm's February 2025 Security Bulletin to identify unpatched devices in the fleet

Monitoring Recommendations

  • Ingest device crash and reliability telemetry into a centralized SIEM or data lake to detect anomalous baseband failures at scale
  • Use rogue base station detection tooling in sensitive environments (executive travel, OT/ICS sites, government facilities)
  • Establish baselines for modem stability metrics and alert on deviations that may indicate active radio-layer attacks

How to Mitigate CVE-2024-38404

Immediate Actions Required

  • Apply the OEM firmware update incorporating Qualcomm's February 2025 security patch to all affected Snapdragon, modem-RF, FastConnect, and connectivity chipsets
  • Inventory deployed devices against the affected product list and prioritize patching for fleet endpoints exposed to untrusted radio environments
  • For high-risk personnel, enable LTE-only or 5G SA-preferred modes where feasible to reduce exposure to downgrade-driven rogue base station attacks

Patch Information

Qualcomm released fixes as part of the February 2025 Security Bulletin. OEM device vendors must integrate the updated firmware into their monthly security patch level. Verify the patch is present by confirming the device's security patch level reflects February 2025 or later and that the modem firmware version matches the OEM's advisory.

Workarounds

  • No vendor-supplied workaround exists; firmware update is the only complete remediation
  • Limit operation in untrusted radio environments and use carrier-grade Wi-Fi calling where available to reduce reliance on cellular NAS signaling
  • Deploy rogue base station detection in high-value physical locations to identify radio-layer attack attempts
bash
# Verify Android device security patch level and baseband version
adb shell getprop ro.build.version.security_patch
adb shell getprop gsm.version.baseband

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.