CVE-2020-11292

Name of the Vulnerable Software and Affected Versions Qualcomm Snapdragon Auto versions (affected versions not specified) Qualcomm Snapdragon Compute versions (affected versions not specified) Qualcomm Snapdragon Connectivity versions (affected versions not specified) Qualcomm Snapdragon Consumer IOT versions (affected versions not specified) Qualcomm Snapdragon Industrial IOT versions (affected versions not specified) Qualcomm Snapdragon IoT versions (affected versions not specified) Qualcomm Snapdragon Mobile versions (affected versions not specified) Qualcomm Snapdragon Voice & Music versions (affected versions not specified) Qualcomm Snapdragon Wearables versions (affected versions not specified)

Description The issue is related to a possible buffer overflow in the voice service due to lack of input validation of parameters in the QMI Voice API. This could allow hackers to spy on Android devices by hiding malicious activity in modem chips. A vulnerability in the 5G modem data service could allow mobile hackers to remotely target Android users by injecting malicious code into a phone’s modem, gaining the ability to execute code, access mobile users’ call histories and text messages, and eavesdrop on phone calls. A malicious app can exploit the issue, which could affect up to 30 percent of Android phones.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.