We use cookies to improve your experience on our site.
AVID-2026-R1475
Description
Buffer Over-read in Neural Processing Unit (CVE-2024-33037)
Details
Information disclosure as NPU firmware can send invalid IPC message to NPU driver as the driver doesn`t validate the IPC message received from the firmware.
Reason for inclusion in AVID: CVE-2024-33037 describes a buffer over-read in NPU firmware that can disclose information via invalid IPC messages to the NPU driver. This directly involves AI inference hardware/firmware (NPU) and its software stack (firmware and driver), which are components used to build, deploy, and run AI systems on Qualcomm Snapdragon hardware. As such, it is a vulnerability in software components that underpin AI pipelines, with a confirmed security impact (information disclosure) and signal in the CVE entry. This satisfies the criteria for AI relevance and GP AI software supply chain components, with sufficient evidence from the CVE entry.
References
- NVD entry
- https://docs.qualcomm.com/product/publicresources/securitybulletin/december-2024-bulletin.html
Affected or Relevant Artifacts
- Developer: Qualcomm, Inc.
- Deployer: Qualcomm, Inc.
- Artifact Details:
| Type | Name |
|---|---|
| System | Snapdragon |
Impact
AVID Taxonomy Categorization
- Risk domains: Security
- SEP subcategories: S0100: Software Vulnerability
- Lifecycle stages: L06: Deployment
CVSS
| Version | 3.1 |
| Vector String | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L |
| Base Score | 6.1 |
| Base Severity | 🟠 Medium |
| Attack Vector | LOCAL |
| Attack Complexity | 🟢 Low |
| Privileges Required | 🟢 Low |
| User Interaction | NONE |
| Scope | UNCHANGED |
| Confidentiality Impact | 🔴 High |
| Integrity Impact | NONE |
| Availability Impact | 🟢 Low |
CWE
| ID | Description |
|---|---|
| CWE-126 | CWE-126 Buffer Over-read |
Other information
- Report Type: Advisory
- Credits:
- Date Reported: 2024-12-02
- Version: 0.3.3
- AVID Entry