Search
On this page ▾
CVE-2023-33107 — Qualcomm Multiple Chipsets Integer Overflow Vulnerability

CVE-2023-33107

Qualcomm GPU Driver — Integer Overflow During Shared Virtual Memory IOCTL Assignment Enables Kernel Privilege Escalation on Android; Limited Targeted Exploitation Acknowledged
⚠️ CVSS 3.1  8.4 / 10 — HIGH 🔴 CISA Known Exploited Vulnerability

What is Qualcomm's GPU Driver (KGSL)?

Qualcomm's Adreno GPU, paired with the KGSL (GPU Kernel Service Layer) kernel driver, powers graphics on the majority of Android flagship and mid-range smartphones from Samsung, Google, Xiaomi, OnePlus, Motorola, and others. KGSL handles IOCTL-based communication between Android user-space applications and the Adreno GPU kernel driver. Because KGSL operates in kernel space and processes commands from user-space without requiring elevated Android permissions, vulnerabilities in its IOCTL handlers are a viable path from the Android application sandbox to full kernel-level code execution — making them highly sought after by commercial spyware developers and nation-state mobile exploit teams.

Overview

CVE-2023-33107 is an integer overflow vulnerability in Qualcomm's GPU kernel driver (KGSL) that occurs during the assignment of shared virtual memory regions via IOCTL. The integer overflow allows memory size or address calculations to wrap around to unexpected small values, leading to out-of-bounds memory access and kernel memory corruption. Qualcomm disclosed it in the December 2023 Security Bulletin alongside CVE-2023-33106 (out-of-range pointer offset) and CVE-2023-33063 (DSP use-after-free), acknowledging "limited, targeted exploitation" for all three. CISA added all three to KEV on the same day.

Affected Versions

CVE-2023-33107 affects multiple Qualcomm chipsets listed in the December 2023 Qualcomm Security Bulletin. Android OEMs incorporate Qualcomm patches into their monthly security updates at varying cadences; patch availability depends on the OEM and device model.

Technical Details

CWE-190 (Integer Overflow or Wraparound). KGSL supports shared virtual memory regions that allow GPU and CPU to share address spaces for efficient data exchange. An IOCTL call for assigning a shared virtual memory region performs arithmetic on size or address values provided by user-space. An integer overflow in this arithmetic causes the calculated memory region size or destination address to wrap around to an unintended small value — causing the kernel to allocate or map memory at an incorrect location or with an incorrect size, resulting in controlled memory corruption.

By crafting specific IOCTL parameters to trigger the integer overflow at a controlled address, a local attacker without special privileges can corrupt kernel memory structures — overwriting function pointers, security-critical data, or kernel code to achieve arbitrary kernel-level code execution.

CVE-2023-33107 and CVE-2023-33106 target different KGSL IOCTL paths (shared virtual memory assignment vs. AUX command sync points) but achieve similar memory corruption outcomes, providing redundant kernel escalation paths within the same driver.

Discovery

Reported to Qualcomm by security researchers. Simultaneous disclosure alongside CVE-2023-33106 and CVE-2023-33063 with confirmed exploitation acknowledgment suggests these vulnerabilities were identified as part of a coordinated exploit chain analysis.

Exploitation Context

See CVE-2023-33063 and CVE-2023-33106 exploitation context — all three Qualcomm December 2023 exploited CVEs represent components of an advanced Android exploit chain targeting Qualcomm-powered devices, most likely deployed by commercial mobile spyware or sophisticated nation-state actors. Qualcomm's simultaneous disclosure and Qualcomm's explicit "limited, targeted exploitation" language confirm real-world use against specific high-value targets.

Remediation

  1. Apply Android security updates at the 2023-12-05 security patch level or later (Settings → About Phone → Android Security Update).
  2. Patch addresses CVE-2023-33107 alongside CVE-2023-33106 and CVE-2023-33063 — the December 2023 Qualcomm Security Bulletin covers all three.
  3. Devices no longer receiving OEM security updates should be considered permanently vulnerable and replaced where possible — particularly for high-risk users in government, journalism, or other sensitive roles.
  4. Enterprise MDM: enforce December 2023 or later security patch level as a minimum requirement for corporate device enrollment.

Key Details

PropertyValue
CVE ID CVE-2023-33107
Vendor / Product Qualcomm — Multiple Chipsets
NVD Published2023-12-05
NVD Last Modified2025-10-28
CVSS 3.1 Score8.4
CVSS 3.1 VectorCVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
SeverityHIGH
CWE CWE-190 find similar ↗
CISA KEV Added2023-12-05
CISA KEV Deadline2023-12-26
Known Ransomware Use No

CVSS 3.1 Breakdown

Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Required Action

CISA BOD 22-01 Deadline: 2023-12-26. Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.

Timeline

DateEvent
2023-12-05Qualcomm December 2023 Security Bulletin published — CVE-2023-33107, CVE-2023-33106, and CVE-2023-33063 flagged as 'limited, targeted exploitation'; CISA adds all three to KEV same day
2023-12-26CISA BOD 22-01 remediation deadline

References

ResourceType
Qualcomm December 2023 Security Bulletin Vendor Advisory
NVD — CVE-2023-33107 Vulnerability Database
CISA KEV Catalog Entry US Government

Last updated: 2026-05-20

Suggest an update ↗

Gavin Hollinger & AI assembled this air-gap friendly HTML