Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2024-53026

CVE-2024-53026: Qualcomm Apq8017 Info Disclosure Flaw

CVE-2024-53026 is an information disclosure vulnerability in Qualcomm Apq8017 Firmware triggered by invalid RTCP packets during VoLTE/VoWiFi calls. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2024-53026 Overview

CVE-2024-53026 is an information disclosure vulnerability affecting a broad range of Qualcomm chipsets and firmware. The flaw occurs when an invalid Real-time Transport Control Protocol (RTCP) packet is received during a Voice over LTE (VoLTE) or Voice over Wi-Fi (VoWiFi) IMS call. A remote attacker can trigger out-of-bounds memory access in the IMS stack by sending a malformed RTCP packet, causing the device to expose memory contents over the network. The vulnerability is tracked under CWE-126: Buffer Over-read and impacts hundreds of Snapdragon, FastConnect, QCA, and IoT platform variants.

Critical Impact

Remote attackers on the IMS signaling path can read uninitialized or adjacent memory from the modem subsystem during an active VoLTE or VoWiFi call, without authentication or user interaction.

Affected Products

  • Qualcomm Snapdragon mobile platforms (Snapdragon 8 Gen 1/2/3, 8+ Gen 1/2, 888, 865, 855, 845, 835 and many others)
  • Qualcomm FastConnect connectivity subsystems (FastConnect 6200, 6700, 6800, 6900, 7800)
  • Qualcomm automotive, IoT, XR, and wearable platforms (SA8155P, SA8295P, QCS series, Snapdragon XR2, Snapdragon W5+ Gen 1)

Discovery Timeline

Technical Details for CVE-2024-53026

Vulnerability Analysis

The vulnerability resides in the IMS (IP Multimedia Subsystem) modem firmware component responsible for parsing RTCP control packets exchanged during VoLTE and VoWiFi calls. RTCP packets carry sender and receiver reports, source description items, and feedback messages associated with active RTP media streams. When the IMS stack receives a malformed RTCP packet, length fields and chunk boundaries are not validated correctly against the actual buffer size.

The processing logic reads past the declared end of the packet buffer, producing a buffer over-read [CWE-126]. The leaked bytes can include adjacent heap memory belonging to the modem process, which may contain call state metadata, signaling identifiers, cryptographic material, or other in-flight data. The flaw is reachable over the network with no privileges and no user interaction.

Root Cause

The defect is an improper bounds check during deserialization of RTCP fields. The parser trusts length and count indicators inside the inbound packet and uses them to index into the receive buffer without confirming that the indicated regions fall within the allocated boundary. A packet that advertises a length larger than the actual payload forces the parser to read uninitialized memory.

Attack Vector

An attacker positioned to deliver IP traffic to the IMS endpoint of a vulnerable device, such as a malicious or compromised upstream node in the carrier signaling path, a rogue Wi-Fi network used for VoWiFi calls, or an IMS peer, can send a crafted RTCP packet to a target during a live call. The vulnerable firmware processes the packet and may return memory contents in subsequent RTCP feedback frames or expose data through observable side effects in modem behavior. The attack requires only an active VoLTE or VoWiFi session on the target device.

Detection Methods for CVE-2024-53026

Indicators of Compromise

  • Anomalous or malformed RTCP packets observed on IMS signaling paths during VoLTE or VoWiFi sessions
  • RTCP packets containing length or count fields inconsistent with the actual UDP payload size
  • Unexpected modem subsystem crashes, resets, or radio link recovery events correlated with inbound RTCP traffic
  • Unusual RTCP feedback bursts originating from peer endpoints not associated with the legitimate call

Detection Strategies

  • Deploy carrier-side IMS inspection that validates RTCP packet length, chunk counts, and SDES item boundaries before forwarding traffic to subscriber devices
  • Correlate modem firmware crash logs and qcrashinfo reports with the timing of inbound RTCP traffic during voice calls
  • Use mobile threat defense telemetry to flag devices on firmware levels predating the Qualcomm June 2025 security bulletin remediation

Monitoring Recommendations

  • Inventory mobile and IoT fleets against the affected chipset list in the Qualcomm June 2025 Security Bulletin and track patch deployment status by OEM
  • Monitor enterprise Wi-Fi networks that carry VoWiFi traffic for RTCP traffic originating from non-IMS sources
  • Track vendor security bulletins from device OEMs (Samsung, Xiaomi, Google, automotive vendors) for downstream patch release dates

How to Mitigate CVE-2024-53026

Immediate Actions Required

  • Apply the Qualcomm firmware updates referenced in the June 2025 Security Bulletin as soon as the corresponding OEM update is available
  • Identify all corporate-managed mobile devices, automotive head units, and IoT endpoints built on the affected Qualcomm platforms and prioritize them for patching
  • Where firmware updates are not yet available from a device OEM, restrict VoWiFi usage to trusted Wi-Fi networks and disable VoWiFi calling on high-risk endpoints

Patch Information

Qualcomm published patches for CVE-2024-53026 in the Qualcomm June 2025 Security Bulletin. Patched firmware is delivered to end devices through downstream OEM and carrier update channels. Administrators should verify the security patch level reported by each device matches or exceeds the June 2025 baseline that incorporates the Qualcomm fix.

Workarounds

  • Disable VoWiFi calling on managed devices that cannot yet receive the patched firmware
  • Force voice traffic over circuit-switched fallback where carrier policy and device capability allow, removing the IMS RTCP processing path
  • Apply mobile device management (MDM) policies that block use of untrusted Wi-Fi networks for voice services on affected devices
bash
# Example MDM policy enforcement (pseudo-configuration)
# Disable VoWiFi until June 2025 patch level is confirmed
policy.voice.vowifi_enabled = false
policy.voice.volte_enabled = true
policy.compliance.min_security_patch_level = "2025-06-01"
policy.network.block_untrusted_wifi_for_voice = true

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne