Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2024-53027

CVE-2024-53027: Qualcomm Qca9367 Firmware DOS Vulnerability

CVE-2024-53027 is a denial of service flaw in Qualcomm Qca9367 Firmware that causes transient DOS during country IE processing. This article covers technical details, affected versions, impact, and mitigation.

Published:

CVE-2024-53027 Overview

CVE-2024-53027 is a transient denial-of-service (DoS) vulnerability affecting a broad range of Qualcomm chipsets and firmware. The flaw resides in WLAN processing logic that handles the country Information Element (IE), a field carried in 802.11 management frames. A network-adjacent attacker can trigger the condition without authentication or user interaction. The vulnerability maps to CWE-120 (Buffer Copy without Checking Size of Input). Qualcomm addressed the issue in its March 2025 security bulletin. Affected products span Snapdragon mobile, automotive, compute, XR, wearable, and FastConnect Wi-Fi platforms used in smartphones, IoT devices, and connected vehicles.

Critical Impact

A malformed country IE in a Wi-Fi management frame can cause a transient denial-of-service condition on hundreds of Qualcomm SoCs and connectivity firmware variants, disrupting wireless connectivity on impacted devices.

Affected Products

  • Qualcomm Snapdragon mobile platforms (Snapdragon 8 Gen 1/2/3, 888, 865, 778G, 695, 480, 460, and others)
  • Qualcomm FastConnect Wi-Fi subsystems (FastConnect 6200, 6700, 6800, 6900, 7800) and QCA-series Wi-Fi firmware (QCA6174A, QCA6391, QCA6696, QCA9367, QCA9377)
  • Qualcomm automotive, XR, wearable, and compute platforms including SA8155P, SA8295P, SA8775P, Snapdragon XR2, Snapdragon W5+ Gen 1, and Snapdragon 7c+ Gen 3

Discovery Timeline

Technical Details for CVE-2024-53027

Vulnerability Analysis

The vulnerability occurs in Qualcomm WLAN firmware while parsing the country IE within 802.11 beacon, probe response, or association response frames. The country IE conveys regulatory domain information including country code and a list of triplets describing channel ranges and transmit power limits. The parser does not adequately validate the length of input data before copying it into a fixed-size buffer, consistent with CWE-120. When a crafted country IE is processed, the WLAN subsystem enters an inconsistent state and crashes, producing a transient DoS that interrupts wireless connectivity until the subsystem recovers.

Root Cause

The root cause is improper bounds checking when handling variable-length fields inside the country IE. The firmware trusts attacker-influenced length values from the management frame and copies channel/regulatory data without enforcing a maximum size against the destination buffer. This buffer copy without size validation leads to memory corruption sufficient to crash the WLAN processing context.

Attack Vector

Exploitation requires the victim device to receive a malformed 802.11 management frame containing a malicious country IE. An attacker within wireless range can broadcast crafted beacons or probe responses, or operate a rogue access point that advertises the malformed IE. No authentication, association, or user interaction is required because management frames are processed by the WLAN driver before any user-level authorization. The result is a crash of the WLAN subsystem and loss of Wi-Fi service on the affected device.

No public proof-of-concept exploit has been published, and the issue is not listed in the CISA Known Exploited Vulnerabilities catalog.

Detection Methods for CVE-2024-53027

Indicators of Compromise

  • Repeated, unexpected WLAN subsystem crashes, restarts, or kernel logs referencing the Wi-Fi driver on Qualcomm-based devices
  • Sudden loss of Wi-Fi connectivity coinciding with the presence of nearby unknown SSIDs broadcasting unusual regulatory information
  • Beacon or probe response frames containing oversized or malformed country IE (element ID 7) fields captured during wireless monitoring

Detection Strategies

  • Deploy a wireless intrusion detection system (WIDS) to inspect 802.11 management frames for non-conformant country IE structures and length fields
  • Correlate device-side WLAN crash telemetry with nearby RF activity to identify potential adjacent-network attacks
  • Track firmware build identifiers across the Qualcomm fleet and flag devices that have not received the March 2025 security update

Monitoring Recommendations

  • Aggregate mobile device management (MDM) and endpoint telemetry to surface devices reporting recurring WLAN driver faults
  • Monitor enterprise Wi-Fi controllers for anomalous beacon sources advertising malformed regulatory information
  • Establish a baseline of normal Wi-Fi reconnection rates per device and alert on sustained deviations that may indicate adjacent DoS attempts

How to Mitigate CVE-2024-53027

Immediate Actions Required

  • Apply the Qualcomm March 2025 firmware updates as distributed by device OEMs and carriers to all affected handsets, automotive head units, IoT gateways, and Wi-Fi access points
  • Inventory devices using affected Snapdragon, QCA, FastConnect, and SA-series components and prioritize patching for those exposed to untrusted wireless environments
  • For unpatched devices, restrict use in high-risk RF environments such as public venues, conferences, and shared facilities

Patch Information

Qualcomm has released fixes through its Qualcomm Security Bulletin March 2025. Patched firmware must be delivered to end-user devices by OEMs and mobile carriers. Verify update availability with each device vendor and confirm deployment via MDM or endpoint management tooling.

Workarounds

  • Disable Wi-Fi on unpatched devices when operating in untrusted or public RF environments
  • Where feasible, restrict devices to known enterprise SSIDs and use 802.11w (Protected Management Frames) on the wireless infrastructure to reduce exposure to forged management frames
  • Segregate vulnerable IoT and automotive endpoints onto isolated wireless networks until firmware updates are confirmed
bash
# Example: query connected device firmware via ADB to identify Qualcomm WLAN build
adb shell getprop | grep -iE "wlan|qcom|build.version"

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.