Qualcomm on Monday published a security advisory addressing 20 vulnerabilities found and patched in its products, including what appears to be a zero-day.

The potential zero-day is tracked as CVE-2024-43047 and the vendor says “there are indications from Google Threat Analysis Group that CVE-2024-43047 may be under limited, targeted exploitation”. 

Qualcomm’s advisory describes CVE-2024-43047 as a high-severity use-after-free issue in the DSP service.

Seth Jenkins, the Google Project Zero researcher credited for finding the vulnerability, said on X that Amnesty International and Google’s Threat Analysis Group (TAG) have found evidence of potential in-the-wild exploitation. 

The researcher noted that “hopefully the bug will be patched on Android devices very soon”. The October 2024 security bulletin for Android was published on Monday, but it does not mention CVE-2024-43047.

No information has been shared on the attacks that may involve exploitation of CVE-2024-43047. However, the fact that it was reported by representatives of Google and Amnesty suggests that it has likely been exploited by a commercial spyware vendor against Android devices.

According to Qualcomm, CVE-2024-43047 affects over 60 chipsets, including FastConnect, QCA, QCS, Video Collaboration, SA, SD, SG, Snapdragon, SW, SXR, WCD, WCN, and WSA series products. 

The flaw was reported to Qualcomm in late July and a patch was recently created, but it will take significant time for the patch to reach end user devices and many systems that are not regularly updated will never receive the fix.

It’s not uncommon for Qualcomm chipset vulnerabilities to be exploited in attacks. According to data from CISA’s Known Exploited Vulnerabilities (KEV) catalog, this is the eighth exploited Qualcomm flaw found since 2021.  

Related: Google Patches Android Zero-Day Exploited in Targeted Attacks

Related: Android’s September 2024 Update Patches Exploited Vulnerability

Related: Android Security Update Patches Kernel Vulnerability Exploited by Spyware Vendor