CVE-2024-49846 Overview
CVE-2024-49846 is a critical memory corruption vulnerability affecting Qualcomm firmware components during the decoding of Over-The-Air (OTA) messages from T3448 Information Elements (IE). The vulnerability stems from improper buffer handling (CWE-126: Buffer Over-read and CWE-125: Out-of-Bounds Read) within the OTA message parsing routines, potentially allowing attackers to compromise affected devices remotely over the network.
The T3448 timer Information Element is used in cellular network communications for GPRS Timer 3 procedures. When maliciously crafted OTA messages are processed by vulnerable Qualcomm chipsets, the decoding logic fails to properly validate input boundaries, leading to memory corruption conditions that can result in sensitive information disclosure or denial of service.
Critical Impact
This vulnerability enables remote network-based attacks against Qualcomm-powered devices including automotive systems, 5G modems, wearables, and mobile platforms. Successful exploitation can lead to confidentiality breach through memory disclosure and availability impact via device crashes.
Affected Products
- Qualcomm Snapdragon Auto 5G Modem-RF Gen 2 (Automotive)
- Qualcomm Snapdragon X72 and X75 5G Modem-RF Systems
- Qualcomm SM8750/SM8750P Mobile Platforms
- Qualcomm FastConnect 7800 Connectivity Chipsets
- Qualcomm Snapdragon W5+ Gen 1 Wearable Platform
- Qualcomm SDX80M Modem Platform
- Qualcomm QCA6574AU, QCA6595AU, QCA6678AQ, QCA6688AQ, QCA6698AQ (Automotive/Networking)
- Qualcomm QCN6224, QCN6274 (WiFi 7 Chipsets)
- Qualcomm WCD9340, WCD9395 (Audio Codecs)
- Qualcomm WSA8830, WSA8832, WSA8835, WSA8840, WSA8845, WSA8845H (Smart Amplifiers)
Discovery Timeline
- May 6, 2025 - CVE-2024-49846 published to NVD
- May 9, 2025 - Last updated in NVD database
Technical Details for CVE-2024-49846
Vulnerability Analysis
The vulnerability exists in the firmware's OTA message decoding subsystem, specifically within the handling of T3448 Information Elements. T3448 is a GPRS Timer 3 value used in cellular protocols for timing procedures during network registration, routing area updates, and other mobility management operations.
When the affected firmware receives an OTA message containing a T3448 IE, the decoding routine performs buffer read operations without adequate boundary checks. This allows an attacker to craft malicious OTA messages that trigger out-of-bounds memory reads (CWE-125) or buffer over-reads (CWE-126). The memory corruption can expose sensitive data from adjacent memory regions or cause the modem processor to crash.
The attack requires no user interaction and can be executed remotely over the cellular network, making it particularly dangerous for devices with cellular connectivity. The vulnerability affects the confidentiality of data processed by the modem subsystem and can result in denial of service conditions affecting device availability.
Root Cause
The root cause is insufficient input validation in the T3448 IE parsing code. When decoding OTA messages, the firmware fails to properly verify that the length fields within the T3448 Information Element accurately reflect the available data buffer size. This boundary condition error allows read operations to access memory beyond the allocated buffer boundaries.
The specific weaknesses involved are:
- CWE-125 (Out-of-Bounds Read): The decoder reads data from memory locations outside the bounds of the intended buffer
- CWE-126 (Buffer Over-read): The read operation exceeds the buffer size, potentially accessing sensitive adjacent memory
Attack Vector
The attack is network-based and can be conducted remotely without authentication or user interaction. An attacker with the ability to transmit crafted cellular signaling messages (such as through a rogue base station or compromised network element) can send malicious OTA messages containing specially crafted T3448 Information Elements.
The attack flow involves:
- Attacker establishes communication with the target device over the cellular network
- Malicious OTA message with crafted T3448 IE is transmitted to the target
- The vulnerable firmware attempts to decode the T3448 IE
- Improper boundary validation leads to out-of-bounds memory read
- Memory corruption results in data leakage or system crash
Due to the network-accessible nature of this vulnerability and the lack of required privileges or user interaction, exploitation can be performed silently against any affected device within radio range of an attacker-controlled transmitter.
Detection Methods for CVE-2024-49846
Indicators of Compromise
- Unexpected modem processor crashes or restarts without user action
- Abnormal cellular connectivity behavior following network attachment
- Memory fault exceptions in modem subsystem logs
- Unusual patterns in baseband diagnostic data indicating memory access violations
Detection Strategies
- Monitor device logs for modem subsystem crashes or abnormal restarts
- Implement network traffic analysis to detect anomalous OTA signaling patterns
- Deploy endpoint detection solutions capable of monitoring baseband processor health
- Utilize SentinelOne Singularity platform for comprehensive endpoint visibility across mobile and IoT devices
Monitoring Recommendations
- Enable verbose logging on affected devices where possible to capture modem subsystem events
- Implement alerting for repeated modem crashes that may indicate exploitation attempts
- Monitor for firmware integrity anomalies on devices running vulnerable Qualcomm chipsets
- Coordinate with mobile carriers to identify potentially malicious network traffic patterns
How to Mitigate CVE-2024-49846
Immediate Actions Required
- Review the Qualcomm Security Bulletin May 2025 for complete vulnerability details
- Inventory all devices utilizing affected Qualcomm chipsets across your organization
- Prioritize firmware updates for devices with cellular connectivity exposed to untrusted networks
- Contact device manufacturers to obtain patched firmware releases
- Consider network-level mitigations to filter potentially malicious OTA signaling where feasible
Patch Information
Qualcomm has addressed this vulnerability in their May 2025 Security Bulletin. Organizations should work with their device manufacturers (OEMs) to obtain and apply firmware updates that incorporate the Qualcomm security patches.
The fix addresses the root cause by implementing proper boundary validation in the T3448 IE decoding routine, ensuring that read operations cannot exceed buffer boundaries. Device manufacturers receive security patches from Qualcomm and are responsible for integrating these fixes into their firmware update processes.
For detailed patch information and affected component lists, refer to the Qualcomm Security Bulletin May 2025.
Workarounds
- No complete workarounds are available; firmware patching is the recommended remediation
- Where possible, limit device exposure to untrusted cellular networks
- For automotive and IoT deployments, implement network segmentation to isolate affected devices
- Monitor affected devices closely for signs of exploitation until patches can be applied
- Consider disabling cellular connectivity temporarily on critical devices where alternative communication methods are available
# Verify Qualcomm firmware version on Android devices
adb shell getprop ro.baseband
adb shell getprop gsm.version.baseband
# Check for security patch level
adb shell getprop ro.build.version.security_patch
# For enterprise environments, use MDM to verify firmware versions
# across all managed devices with Qualcomm chipsets
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
