CVE-2023-33063

What is Qualcomm DSP Services?

Qualcomm chipsets power the majority of Android flagship and mid-range smartphones and tablets worldwide — including devices from Samsung, Google, OnePlus, Motorola, Xiaomi, and others. Qualcomm's architecture includes a Digital Signal Processor (DSP) alongside the main ARM application processor, with the DSP handling media processing, AI inference, and other signal processing tasks. Communication between the main Linux/Android OS (HLOS — High-Level Operating System) and the DSP occurs through a proprietary inter-processor communication layer. Vulnerabilities in this IPC layer can allow a malicious Android application to escalate privileges from the application sandbox to kernel level — a critical step in full device compromise by commercial spyware.

Overview

CVE-2023-33063 is a use-after-free vulnerability in Qualcomm's DSP Services arising from memory corruption during a remote procedure call from the main Android OS (HLOS) to the DSP processor. Qualcomm disclosed it in the December 2023 Security Bulletin and acknowledged "limited, targeted exploitation" — language Qualcomm uses when they have confirmed in-the-wild exploitation, typically by commercial mobile spyware or nation-state actors. CISA added CVE-2023-33063 to KEV on the same day as the bulletin, alongside the two companion Graphics driver vulnerabilities (CVE-2023-33106 and CVE-2023-33107) also confirmed exploited.

Affected Versions

CVE-2023-33063 affects multiple Qualcomm chipsets across Android device product lines. Specific affected chipsets are listed in the Qualcomm December 2023 Security Bulletin. OEM vendors (Samsung, Google, OnePlus, etc.) incorporate Qualcomm patches into their monthly Android security updates — device-specific fix availability depends on the OEM's update cadence for each device model.

Technical Details

CWE-416 (Use After Free). Qualcomm's DSP Services layer manages inter-processor communication between the Android OS and the Qualcomm DSP. During a remote call from HLOS to DSP, the DSP Services code manages memory allocations associated with the call parameters and return data. A use-after-free occurs when the code frees a memory buffer but retains a pointer to it, then uses that pointer again in a subsequent operation.

By triggering the use-after-free at a controlled time (race condition or crafted call sequence), an attacker who has already achieved code execution as a low-privilege Android app can place attacker-controlled data in the freed memory location and then trigger the dangling pointer dereference — achieving controlled memory corruption that can be escalated to kernel code execution on the Qualcomm-powered device.

Kernel code execution on Android enables full device compromise: bypassing the Android sandbox, accessing encrypted data, and installing persistent monitoring software.

Discovery

Reported to Qualcomm by security researchers. Qualcomm's acknowledgment of "limited, targeted exploitation" in the December 2023 bulletin confirms the vulnerability was found following active exploitation evidence, consistent with commercial spyware or nation-state mobile exploit chain development.

Exploitation Context

Qualcomm acknowledging "limited, targeted exploitation" in December 2023 alongside CVE-2023-33106 and CVE-2023-33107 strongly suggests these three vulnerabilities were used together as part of a sophisticated Android exploit chain — likely targeting journalists, dissidents, government officials, or other high-value individuals. Commercial mobile spyware vendors (e.g., NSO Group, Intellexa) and nation-state cyber units maintain Android exploit chains that typically combine a renderer/app sandbox escape with a kernel privilege escalation.

The simultaneous acknowledgment of three Qualcomm chipset vulnerabilities as exploited in the same bulletin is consistent with a multi-stage exploit chain: CVE-2023-33063 (DSP use-after-free) and/or CVE-2023-33106/33107 (Graphics memory corruption) providing the kernel escalation step.

Remediation

1. Apply Android security updates for December 2023 (2023-12-01 and 2023-12-05 security patch levels) or later — these include the Qualcomm patches for CVE-2023-33063, CVE-2023-33106, and CVE-2023-33107.
2. Check your Android device's security patch level (Settings → About Phone → Android Security Update) — ensure it is December 2023 or later.
3. OEMs distribute Qualcomm patches in their monthly Android updates with varying delays — contact your device manufacturer if updates are not available.
4. For high-risk individuals (government employees, journalists, activists): consider enabling Lockdown Mode (iOS) or using hardened Android configurations (GrapheneOS) to reduce the attack surface for sophisticated exploit chains targeting mobile devices.