Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2024-53019

CVE-2024-53019: Qualcomm Fastconnect 6200 Info Disclosure

CVE-2024-53019 is an information disclosure vulnerability in Qualcomm Fastconnect 6200 Firmware caused by improper RTP packet header validation. This article covers the technical details, affected firmware versions, and mitigation.

Published:

CVE-2024-53019 Overview

CVE-2024-53019 is an information disclosure vulnerability in multiple Qualcomm firmware components. The flaw occurs while decoding a Real-time Transport Protocol (RTP) packet that contains an improper header length value for the number of contributing sources (CSRC). An attacker on the network can trigger an out-of-bounds read to disclose sensitive memory contents from the affected device. The issue affects a wide range of Snapdragon mobile platforms, FastConnect Wi-Fi/Bluetooth chipsets, audio codecs, and connectivity processors. Qualcomm addressed the issue in its June 2025 security bulletin.

Critical Impact

Network-adjacent attackers can read sensitive process memory from devices using affected Qualcomm chipsets by sending malformed RTP packets, with no authentication or user interaction required.

Affected Products

  • Qualcomm Snapdragon 8 Gen 1, 8 Gen 2, 8 Gen 3, 8+ Gen 1, 8+ Gen 2, and Snapdragon 4/429/480/695/835 mobile platforms
  • Qualcomm FastConnect 6200, 6700, 6900, and 7800 connectivity subsystems
  • Qualcomm WCD, WCN, WSA, QCA, QCM, QCS, SA, SM, and SW series firmware components listed in the June 2025 bulletin

Discovery Timeline

  • 2025-06-03 - CVE-2024-53019 published to NVD
  • 2025-06 - Qualcomm releases security patch in the June 2025 security bulletin
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2024-53019

Vulnerability Analysis

The vulnerability is classified as [CWE-126] Buffer Over-read. It occurs in the RTP packet decoding logic shipped with multiple Qualcomm firmware components used for voice and media transport over IP. RTP headers include a 4-bit CC (CSRC count) field that indicates how many 32-bit contributing source identifiers follow the fixed header. The decoder fails to validate that the declared CSRC count matches the actual length of the received packet. When an attacker supplies a CSRC count larger than the data present, the parser reads beyond the packet buffer into adjacent memory. The leaked contents can include fragments of other packets, internal state, or sensitive data residing in the firmware heap.

Root Cause

The root cause is missing bounds validation between the RTP header CC field and the actual buffer length supplied to the decoder. The firmware uses the attacker-controlled count to advance pointers and copy CSRC identifiers without first confirming the buffer holds 12 + (CC * 4) bytes. This trust in caller-supplied length metadata produces a classic header-length over-read.

Attack Vector

Exploitation is network-based and requires no privileges or user interaction. An attacker delivers a crafted RTP datagram to an affected device participating in a VoIP, video, or media session, or to any service that processes RTP traffic on the chipset. The malformed packet sets the CC field to a value inconsistent with the packet's true length. When the firmware parses the packet, it reads adjacent memory and may return or process that memory in subsequent operations, leaking information back over the network channel. The flaw does not by itself permit code execution, but the disclosed memory can aid in defeating address space layout randomization or recovering session-related secrets.

Detection Methods for CVE-2024-53019

Indicators of Compromise

  • Inbound RTP packets where the declared CSRC count (CC field) does not match the UDP payload length.
  • Repeated malformed RTP datagrams from the same source address targeting media-handling endpoints.
  • Unexpected media session crashes, baseband resets, or kernel log entries referencing the RTP decoder on Qualcomm-based devices.

Detection Strategies

  • Inspect RTP traffic at network sensors and validate that 12 + (CC * 4) + payload aligns with the UDP datagram size, alerting on mismatches.
  • Monitor mobile device management (MDM) telemetry for Qualcomm firmware versions older than the June 2025 security bulletin baseline.
  • Hunt for anomalous spikes in RTP traffic to or from devices outside of normal VoIP session patterns.

Monitoring Recommendations

  • Centralize VoIP and SIP/RTP gateway logs and correlate malformed packet events with downstream device telemetry.
  • Track Qualcomm vendor advisories and patch-level reporting from device OEMs to confirm the June 2025 fix is deployed.
  • Alert when devices participate in RTP sessions with untrusted external peers over the public internet.

How to Mitigate CVE-2024-53019

Immediate Actions Required

  • Apply the Qualcomm firmware updates referenced in the Qualcomm Security Bulletin June 2025 through your device OEM update channel.
  • Inventory mobile, IoT, automotive, and wearable assets that use the affected Snapdragon, FastConnect, WCN, WCD, WSA, or QCA components and prioritize them for patching.
  • Restrict RTP and SIP traffic to known, trusted peers at the network perimeter until patches reach end-user devices.

Patch Information

Qualcomm published fixes in the June 2025 security bulletin. Device manufacturers integrate these firmware updates into their monthly Android security patch levels or vendor-specific update channels. Confirm that endpoints report a patch level dated June 2025 or later that explicitly lists CVE-2024-53019 as remediated.

Workarounds

  • Disable or restrict applications and services that accept RTP traffic from untrusted networks on affected devices.
  • Route RTP media through a session border controller (SBC) that performs strict RTP header validation and drops malformed packets.
  • Segment vulnerable IoT, automotive, and wearable devices onto isolated VLANs with egress filtering to limit attacker reachability.
bash
# Example: drop malformed RTP packets at a Linux-based SBC or gateway using nftables
# This rule rate-limits and inspects UDP traffic on a typical RTP port range.
nft add table inet rtp_filter
nft add chain inet rtp_filter input { type filter hook input priority 0 \; }
nft add rule inet rtp_filter input udp dport 16384-32767 \
    meta length \< 12 drop
nft add rule inet rtp_filter input udp dport 16384-32767 \
    limit rate 1000/second accept
nft add rule inet rtp_filter input udp dport 16384-32767 log prefix "RTP-DROP " drop

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne