CVE-2023-33106 Qualcomm CVE debrief

Who should care

Organizations using Qualcomm-based devices or components, as well as OEMs and vendors that ship products built on affected Qualcomm chipsets or shared downstream components, should prioritize this CVE.

Technical summary

The official description identifies an out-of-range pointer offset condition in Qualcomm Multiple Chipsets. CISA’s KEV entry indicates known exploitation and advises checking vendor-specific patching status, which suggests the affected code path may be embedded in a shared component used across multiple products.

Defensive priority

Immediate

Recommended defensive actions

• Check whether any in-scope devices, firmware, or vendor products include the affected Qualcomm component.
• Apply vendor remediations or mitigations as soon as they are available.
• If remediation or mitigations are unavailable, discontinue use of the affected product per CISA guidance.
• Confirm patching status with each downstream vendor, since CISA notes the issue may appear in shared components used by different products.
• Verify remediation after deployment and keep records of affected assets and vendor advisories.

Evidence notes

This debrief is limited to the supplied official records and links. CISA’s KEV data identifies CVE-2023-33106 as a known exploited vulnerability, with dateAdded 2023-12-05 and dueDate 2023-12-26, and states: 'Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.' The KEV notes also say the issue may affect a common open-source component, third-party library, or protocol used by different products, so patch status may differ by vendor. No CVSS score was provided in the supplied corpus.

Official resources