Preface: There are indications from Google Threat Analysis Group and Google Project Zero that CVE-2023-33106, CVE-2023-33107, CVE-2022-22071 and CVE-2023-33063 may be under limited, targeted exploitation. Patches for the issues affecting Adreno GPU and Compute DSP drivers have been made available, and OEMs have been notified with a strong recommendation to deploy security updates as soon as possible. Please contact your device manufacturer for more information on the patch status about specific devices.

Background: Qualcomm cDSP is a hardware acceleration unit on the Qualcomm platform specifically used for general computing. Compared with the host CPU, the DSP usually runs at a lower clock speed and provides more parallel instruction levels. This makes DSPs a better alternative to CPUs in terms of power consumption. Therefore, porting as many large computing-intensive tasks as possible to the DSP can reduce the overall power consumption of the device.

The Qualcomm Adreno 640 is a smartphone and tablet GPU that is integrated within the Qualcomm Snapdragon 855 SoC. The chip will be available from early 2019 and will be used mainly in high-end Android devices.

Vulnerability details:

Per announcement by vendor, the details of design weakness on those CVE items not published yet. But OEMs have been notified with a strong recommendation to deploy security updates as soon as possible. An limited information told that vulnerabilities affecting Adreno GPU and Compute DSP drivers have been made available.

Official announcement: Please refer to the link for details – https://docs.qualcomm.com/product/publicresources/securitybulletin