PatchSiren cyber security CVE debrief
CVE-2023-33063 Qualcomm CVE debrief
CVE-2023-33063 is a Qualcomm use-after-free vulnerability affecting multiple chipsets and listed by CISA in the Known Exploited Vulnerabilities catalog on 2023-12-05. Because it is in KEV, defenders should treat it as a priority issue for affected Qualcomm-based products and the vendors that incorporate those components. CISA’s guidance is to apply vendor remediations or mitigations, or discontinue use if remediation is unavailable.
- Vendor
- Qualcomm
- Product
- Multiple Chipsets
- CVSS
- Unknown
- CISA KEV
- Listed
- Original CVE published
- 2023-12-05
- Original CVE updated
- 2023-12-05
- Advisory published
- 2023-12-05
- Advisory updated
- 2023-12-05
Who should care
Mobile OEMs, device and firmware vendors, product security teams, and operators running products built on affected Qualcomm chipsets or downstream components should review this immediately. Teams tracking CISA KEV deadlines should also verify whether any deployed products remain exposed.
Technical summary
The supplied source identifies CVE-2023-33063 as a use-after-free in Qualcomm Multiple Chipsets. CISA’s KEV note says the issue affects a common open-source component, third-party library, or protocol used by different products, and points readers to vendor-specific patch status and Qualcomm kernel fix references. The source corpus does not provide a CVSS score or a deeper exploit path description, so any impact assessment should stay tied to vendor guidance.
Defensive priority
High. CISA placed this CVE in KEV, which means it should be treated as an active defensive priority for exposure reduction, patching, and mitigation verification.
Recommended defensive actions
- Inventory products and firmware that depend on Qualcomm chipsets or Qualcomm-provided components.
- Check each vendor’s advisory or release notes for patch availability and applicability.
- Apply vendor remediations or mitigations as soon as they are available.
- If no remediation exists, follow CISA guidance and discontinue use of the affected product or isolate it until a fix is available.
- Validate that downstream vendors who ship Qualcomm-based products have actually integrated the fix.
- Track deployment status against the KEV due date context (2023-12-26) for remediation urgency.
Evidence notes
CISA’s Known Exploited Vulnerabilities entry for CVE-2023-33063 was published and modified on 2023-12-05 and lists vendorProject Qualcomm, product Multiple Chipsets, and the vulnerability name “Qualcomm Multiple Chipsets Use-After-Free Vulnerability.” The KEV metadata includes the remediation instruction to apply vendor remediations or mitigations, or discontinue use if they are unavailable. The source note also references Qualcomm kernel fix commits for msm-5.15 and msm-4.14 branches. No CVSS score was supplied in the corpus, so this debrief avoids assigning severity beyond KEV priority.
Official resources
-
CVE-2023-33063 CVE record
CVE.org
-
CVE-2023-33063 NVD detail
NVD
-
CISA Known Exploited Vulnerabilities catalog
CISA - Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
-
Source item URL
cisa_kev
This public debrief is based only on the supplied CISA KEV metadata and official CVE/NVD links. It does not add exploit details or unsupported impact claims.