Search
On this page ▾
CVE-2023-33106 — Qualcomm Multiple Chipsets Use of Out-of-Range Pointer Offset Vulnerability

CVE-2023-33106

Qualcomm GPU Driver — Out-of-Range Pointer Offset in GPU AUX Command IOCTL Enables Kernel Privilege Escalation on Android; Limited Targeted Exploitation Acknowledged
⚠️ CVSS 3.1  8.4 / 10 — HIGH 🔴 CISA Known Exploited Vulnerability

What is Qualcomm's GPU Driver (KGSL)?

Qualcomm's Adreno GPU powers graphics processing on the vast majority of Android flagship and mid-range smartphones. The Qualcomm GPU Kernel Service Layer (KGSL) is the kernel driver that manages communication between user-space applications and the GPU hardware. Android apps send GPU commands via IOCTL system calls to KGSL, which processes these commands and submits them to the Adreno GPU. Because KGSL runs in the Linux kernel and processes commands from user-space applications, vulnerabilities in its IOCTL handlers represent a local privilege escalation path from the Android app sandbox to kernel-level code execution — a critical step in complete Android device compromise.

Overview

CVE-2023-33106 is a use of out-of-range pointer offset vulnerability in Qualcomm's GPU kernel driver (KGSL), specifically in the handling of IOCTL_KGSL_GPU_AUX_COMMAND when processing a large list of sync points. The vulnerability allows a local application with no special privileges to cause memory corruption in the kernel, potentially achieving kernel code execution. Qualcomm disclosed it in the December 2023 Security Bulletin with acknowledgment of "limited, targeted exploitation" — along with companion vulnerabilities CVE-2023-33107 and CVE-2023-33063 — and CISA added all three to KEV on the same day.

Affected Versions

CVE-2023-33106 affects multiple Qualcomm chipsets. Specific affected chipsets are listed in the Qualcomm December 2023 Security Bulletin. Android device OEMs incorporate Qualcomm patches into their monthly security updates; patch availability depends on each manufacturer's update schedule for each device model.

Technical Details

CWE-823 (Use of Out-of-Range Pointer Offset). The KGSL IOCTL handler for IOCTL_KGSL_GPU_AUX_COMMAND processes lists of GPU synchronization points submitted by user-space. When processing a large list of sync points, a pointer offset calculation can produce an out-of-range value — causing the kernel to access memory at an unintended address. By crafting a carefully sized list of sync points, a local attacker can cause the kernel to read from or write to an attacker-controlled memory location, leading to controlled memory corruption.

This is distinct from CVE-2023-33107 (integer overflow during shared virtual memory region assignment via a different IOCTL path) — both involve KGSL IOCTL processing but through different code paths and different types of memory corruption. Together they provide multiple paths to the same goal: kernel privilege escalation on Qualcomm-powered Android devices.

The PR:N (no privileges required) rating reflects that Android apps can invoke KGSL IOCTLs without requiring any special Android permissions, making this reachable from a basic malicious app.

Discovery

Reported to Qualcomm by security researchers. The concurrent acknowledgment of CVE-2023-33106, CVE-2023-33107, and CVE-2023-33063 as exploited in the same December 2023 bulletin suggests these were identified together as part of a multi-vulnerability exploit chain investigation.

Exploitation Context

The "limited, targeted exploitation" acknowledgment for three simultaneous Qualcomm vulnerabilities in December 2023 is consistent with discovery of a commercial mobile spyware exploit chain targeting Android devices with Qualcomm chipsets. GPU driver vulnerabilities (KGSL) are a well-established path to kernel privilege escalation on Qualcomm Android devices, previously used in documented spyware campaigns.

Devices with Qualcomm chipsets running Android without the December 2023 security patches are vulnerable — including devices whose OEMs have not yet distributed the patches, or devices that are no longer receiving security updates.

Remediation

  1. Apply Android security updates at the 2023-12-05 security patch level or later (check Settings → About Phone → Android Security Update).
  2. Patch also addresses CVE-2023-33107 (integer overflow in KGSL) and CVE-2023-33063 (DSP use-after-free) — ensure the complete December 2023 Qualcomm patch set is applied.
  3. Devices that are end-of-life and no longer receiving security updates from their OEM should be considered permanently at risk and replaced where possible.
  4. Enterprise mobile device management: enforce minimum security patch level requirements and block enrollment of devices with outdated patches.

Key Details

PropertyValue
CVE ID CVE-2023-33106
Vendor / Product Qualcomm — Multiple Chipsets
NVD Published2023-12-05
NVD Last Modified2025-10-28
CVSS 3.1 Score8.4
CVSS 3.1 VectorCVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
SeverityHIGH
CWE CWE-823 find similar ↗
CISA KEV Added2023-12-05
CISA KEV Deadline2023-12-26
Known Ransomware Use No

CVSS 3.1 Breakdown

Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Required Action

CISA BOD 22-01 Deadline: 2023-12-26. Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.

Timeline

DateEvent
2023-12-05Qualcomm December 2023 Security Bulletin published — CVE-2023-33106, CVE-2023-33107, and CVE-2023-33063 flagged as under 'limited, targeted exploitation'; all three added to CISA KEV same day
2023-12-26CISA BOD 22-01 remediation deadline

References

ResourceType
Qualcomm December 2023 Security Bulletin Vendor Advisory
NVD — CVE-2023-33106 Vulnerability Database
CISA KEV Catalog Entry US Government

Last updated: 2026-05-20

Suggest an update ↗

Gavin Hollinger & AI assembled this air-gap friendly HTML