Skip to main content

Memory corruption in QSEECOM driver (CVE-2014-4322)

Release Date:

December 22, 2014

Affected Projects:

Android for MSMFirefox OS for MSMQRD Android

Advisory ID:


CVE ID(s):



The following security vulnerability has been identified in the QuIC-authored QSEECOM driver. CVE-2014-4322: The qseecom driver provides an ioctl system call interface to user space clients for communication. When processing this communication, the __qseecom_update_cmd_buf function uses the user-supplied value cmd_buf_offset as an index to a buffer for write operations without any boundary checks, allowing a local application with access to the qseecom device node to, e.g., escalate privileges.

Access Vector: Local
Security Risk: Medium
Access Vector: Local

Affected Versions:

All Android releases from CAF using the Linux kernel.


Qualcomm Innovation Center, Inc. (QuIC) thanks Gal Beniamini for reporting the related issues and working with QuIC to help improve Android device security.


Initial revision