■■■■■ Zero-Day: Three security vulnerabilities have been disclosed in the audio decoders of Qualcomm and MediaTek chips that, if left unresolved, could allow an adversary to remotely gain access to media and audio conversations from affected mobile devices.
The impact of an RCE vulnerability can range from malware execution to an attacker gaining control over a user’s multimedia data, including streaming from a compromised machine’s camera.
︎CVE-2021-0674 (CVSS score: 5.5, MediaTek) – A case of improper input validation in ALAC decoder leading to information disclosure without any user interaction.
︎CVE-2021-0675 (CVSS score: 7.8, MediaTek) – A local privilege escalation flaw in ALAC decoder stemming from out-of-bounds write.
︎CVE-2021-30351 (CVSS score: 9.8, Qualcomm) – An out-of-bound memory access due to improper validation of number of frames being passed during music playback