RC RANDOM CHAOS

CVE-2024-43047 hit live targets in 2024

CVE-2024-3679 maps to no Qualcomm bug. The real 2024 Snapdragon zero-day is CVE-2024-43047 - a DSP/FastRPC use-after-free, CVSS 7.8, exploited in the wild.

· 5 min read
CVE-2024-43047 hit live targets in 2024

CVE-2024-3679 does not describe a Qualcomm heap corruption bug. No public advisory maps that identifier to a Snapdragon memory allocator flaw. There is no product called Qualcomm Linux 2.0 carrying it. And Qualcomm runs no fleet telemetry showing handsets exploited in the wild under that number - that is not how mobile silicon vendors work. The premise is wrong on every specific.

The bug class it gestures at is real. A Qualcomm memory-corruption zero-day shipped in 2024, was used against live targets, and produced exactly the local privilege escalation the headline promises. It carries a different number. CVE-2024-43047. CVSS v3 base score 7.8. Vector AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. That is the one that matters. The rest of this is what it actually does.

The flaw is a use-after-free. CWE-416. It sits in the Qualcomm DSP Service, specifically the adsprpc kernel driver that implements FastRPC. FastRPC is the remote-procedure transport between the Android applications processor running the High-Level OS and the on-die DSP subsystems - the aDSP and cDSP cores that handle audio, camera, and machine-learning offload. The kernel driver maintains memory maps between HLOS buffers and DSP address space. Qualcomm’s own wording is precise: memory corruption while maintaining memory maps of HLOS memory. A mapping object is freed while a reference to it stays reachable. Later FastRPC operations reuse the stale object. The dangling reference is the primitive.

A use-after-free is not automatically code execution. It becomes execution when the freed allocation is reclaimed with attacker-controlled contents before the stale reference is used again. The adsprpc bookkeeping objects live on kernel slab caches. Freeing a mapping object returns its chunk to the kmalloc slab. An attacker running in app context sprays same-size allocations through adjacent kernel interfaces to reoccupy that chunk with a forged structure. When the driver next dereferences the dangling pointer, it operates on attacker-shaped data inside kernel address space. Controlled type confusion on a freed kernel object yields a kernel read and write. This is a local kernel primitive, not a userspace one. The corruption lands in ring 0.

The reason this surface is worth attacker effort is reachability. The adsprpc device node is exposed to the untrusted_app SELinux domain. DSP offload is used by media codecs, camera pipelines, and neural-network frameworks, so the ioctl interface is not sealed behind system_server or a privileged HAL. Ordinary sandboxed apps talk to it by design. That makes the DSP RPC path one of the few kernel driver surfaces an unprivileged app can drive directly. A memory-corruption bug there converts an app-context foothold into a kernel-context compromise without an intermediate privileged process. For an exploit chain, that is a short, high-value link.

The exploit path assumes prior code execution in app context. That comes from a malicious application, or from a chained renderer compromise in a browser or messaging client that already holds a sandboxed foothold. From there the actor drives the adsprpc ioctl surface, triggers the free, grooms the kernel slab to reclaim the object, and turns the dangling reference into arbitrary kernel read/write. The terminal step is standard Android kernel escalation - overwriting a task credential structure to uid 0 and flipping SELinux out of enforcing. This maps to MITRE ATT&CK for Mobile T1404, Exploitation for Privilege Escalation. No remote step is involved in the bug itself. It is the escalation stage, not initial access.

Attribution and in-the-wild status are not speculation. Qualcomm credited Google Project Zero researchers Seth Jenkins and Conghui Wang for the report, and Amnesty International Security Lab for confirming active exploitation. That pairing is a signature. Project Zero and the Amnesty Security Lab surface together on commercial spyware investigations - mercenary implant chains aimed at journalists, activists, and dissidents. Google’s Threat Analysis Group assessed limited, targeted exploitation. The profile fits a short chain where a memory-corruption LPE follows an initial-access primitive, matching Pegasus- and Predator-class tradecraft rather than commodity malware. Qualcomm shipped patches to OEMs in the October 2024 security bulletin, covering more than sixty Snapdragon chipsets across handset, compute, and automotive lines.

The telemetry claim in the original premise is where it fails hardest. There is no Qualcomm SOC watching adsprpc ioctls across a billion devices. Silicon vendors do not run endpoint detection on shipped handsets. A firmware- and kernel-level DSP use-after-free is below the layer where mobile security tooling operates. There is no Sysmon on Android, no kernel ETW equivalent exposed to enterprise MDM, and no app-layer EDR with visibility into slab reuse inside the adsprpc driver. Mobile device management sees policy compliance and installed packages. It does not see a groomed kmalloc cache. The exploitation step is effectively invisible to the defensive stack most organizations actually run on phones.

What does surface exploitation is forensic acquisition, after the fact. Amnesty’s Mobile Verification Toolkit parses device backups and diagnostic data for known implant IOCs. On-device residue includes DSP subsystem restart events - SSR entries - when an exploit destabilizes the aDSP or cDSP, kernel oops traces in dmesg from failed reclaim attempts, and crash artifacts in diag logs. None of that reaches a central console in real time. Network indicators come later, from the implant’s command-and-control traffic once the payload is resident, not from the memory-corruption step that installed it. The detection gap is structural. The vulnerable code runs beneath the observable surface, and the only reliable signal is a targeted forensic pull on a device already suspected of compromise. That is retrospective, not preventive, and it scales to individuals, not fleets.

The patch boundary is October 2024 at the OEM level. Residual exposure is the downstream lag. A Qualcomm fix reaching a device depends on the OEM folding it into an Android security patch level and the carrier shipping it. Budget and end-of-life Snapdragon devices may never receive the update, leaving the primitive live indefinitely on hardware that stays in service for years. Post-patch, the class does not close. The DSP RPC path has produced repeated memory-corruption CVEs - CVE-2024-23369 in the same firmware family among them - because the root is not one allocator. It is the lifecycle bookkeeping of HLOS-to-DSP memory maps, a stateful surface reachable from untrusted code. Fixing one dangling reference does not retire the pattern that produced it.

The operational takeaway is narrow and it starts before any of the above. Check the identifier before briefing it. A CVE number that resolves to no advisory, no CVSS record, and no vendor bulletin is not a finding - it is a tell. CVE-2024-3679 is that. CVE-2024-43047 is the real event, and it did everything the fabricated one claimed, on hardware that shipped in hundreds of millions of devices, against people who were actually targeted.

Share

Keep Reading

Stay in the loop

New writing delivered when it's ready. No schedule, no spam.