Potentially serious UEFI firmware vulnerabilities in Qualcomm Snapdragon chips affect many devices manufactured by Microsoft, Lenovo, Samsung and many other companies.

Qualcomm has announced the availability of fixes for thirteen vulnerabilities, including five connection and download-related bugs discovered by Binarly researchers.

The researchers found a total of nine vulnerabilities when analyzing the firmware of Lenovo Thinkpad X13s laptops based on Qualcomm Snapdragon (SoC).

Further analysis showed that five of them affect the Qualcomm reference code, which means they are present in laptops and other devices using Snapdragon chips.

According to Binarly, Qualcomm vulnerabilities have been confirmed to also affect Microsoft Surface computers based on Arm and Windows Dev Kit 2023 (Project Volterra), as well as Samsung products.

A total of 22 vulnerabilities in the Snapdragon package have been eliminated. 

The most serious flaw is an error related to buffer overflow in Automotive, tracked as CVE-2022-33219 (CVSS score 9.3), as well as two other serious problems.

Among them:
- CVE-2022-33218 (CVSS score 8.2) — the error is related to memory corruption in Automotive due to incorrect input validation,
- CVE-2022-33265 (CVSS score 7.3) — the vulnerability lies in the disclosure of information in the Powerline Communication firmware.

Qualcomm said that fixes for the vulnerabilities discovered by Binarly were available to customers in November 2022.

The company encourages end users to apply updates as soon as they become available from device manufacturers.