PatchSiren cyber security CVE debrief
CVE-2022-22071 Qualcomm CVE debrief
CVE-2022-22071 is a Qualcomm multiple-chipset use-after-free vulnerability that CISA added to the Known Exploited Vulnerabilities catalog on 2023-12-05. Because it is in the KEV catalog, defenders should treat it as a high-priority issue and verify whether any Qualcomm-based devices, embedded systems, or downstream products in their environment rely on the affected component or protocol. CISA’s guidance is to apply vendor remediations or mitigations; if those are unavailable, discontinue use of the product.
- Vendor
- Qualcomm
- Product
- Multiple Chipsets
- CVSS
- Unknown
- CISA KEV
- Listed
- Original CVE published
- 2023-12-05
- Original CVE updated
- 2023-12-05
- Advisory published
- 2023-12-05
- Advisory updated
- 2023-12-05
Who should care
Security teams, asset owners, device fleet operators, OEMs, embedded-system administrators, mobile/device management teams, and suppliers that deploy or resell products containing Qualcomm multiple-chipset components or related third-party/open-source dependencies.
Technical summary
The available source corpus identifies CVE-2022-22071 as a use-after-free vulnerability affecting Qualcomm multiple chipsets. CISA’s KEV note says the issue may affect a common open-source component, third-party library, or protocol used by different products, so the exact exposure depends on each vendor’s implementation and patch status. The KEV entry does not provide exploit details, but its inclusion indicates known exploitation and a need for urgent remediation tracking.
Defensive priority
High urgent priority. KEV inclusion means known exploitation, and CISA sets a remediation due date of 2023-12-26 for this entry.
Recommended defensive actions
- Inventory all devices, firmware, and products that include Qualcomm chipset dependencies or downstream components tied to this CVE.
- Check OEM/vendor advisories and patch notes for product-specific remediation status; do not assume a single Qualcomm fix applies universally.
- Apply vendor-provided remediations or mitigations as soon as they are available.
- If remediation or mitigation is unavailable, follow CISA guidance to discontinue use of the affected product.
- Prioritize exposed, internet-facing, mission-critical, or fleet-wide deployments first.
- Validate that mitigations remain in place after firmware updates, device refreshes, or supplier-replaced components.
Evidence notes
Supported facts come from the provided CISA KEV source item and the official resource links. The source item lists vendorProject=Qualcomm, product=Multiple Chipsets, vulnerabilityName=Qualcomm Multiple Chipsets Use-After-Free Vulnerability, dateAdded=2023-12-05, dueDate=2023-12-26, and requiredAction to apply remediations or mitigations per vendor instructions or discontinue use if unavailable. The KEV note also states that this vulnerability affects a common open-source component, third-party library, or protocol used by different products and recommends checking specific vendors for patching status. The source corpus does not include CVSS, exploit technique details, affected chipset models, or patch version numbers.
Official resources
-
CVE-2022-22071 CVE record
CVE.org
-
CVE-2022-22071 NVD detail
NVD
-
CISA Known Exploited Vulnerabilities catalog
CISA - Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
-
Source item URL
cisa_kev
Publicly disclosed through the CVE record and the CISA Known Exploited Vulnerabilities catalog. The provided source dates show the KEV entry and source item published/modified on 2023-12-05, with CISA’s remediation due date set to 2023-12-