Tencent has discovered vulnerabilities in Qualcomm-socs that make it possible to penetrate the modem via the Wi-Fi chip and access the kernel from there. In any case, the Snapdragon 835 and 845 are vulnerable and possibly many more socs.
Tencent’s security department Blade describes the three vulnerabilities in its own advisory: CVE-2019-10539 allows for Wi-Fi to penetrate a target, CVE-2019-10540 deals with a buffer overflow that allows access to the modem, and CVE-2019- 10538 allows the jump from the modem to the kernel, which would make the device well and truly ‘pwned’.
Blade does not provide details on exactly how the exploits work, as updates have not yet been fully distributed. Blade has tested the exploits on the Pixel 2 and Pixel 3, which have the Qualcomm Snapdragon 835 and 845 on board respectively. The researchers call the vulnerabilities QualPwn and they will talk more about it this week in presentations on BlackHat and Defcon.
Qualcomm itself acknowledges the vulnerabilities, but does not mention CVE-2019-10538. It comes under the open source Linux kernel. Google does write about this, but no vulnerable chipsets are mentioned. About the other two vulnerabilities, Qualcomm states that they are present in many different Snapdragon chipsets from the 600, 700 and 800 series. This includes countless smartphones and tablets.
Google has removed the vulnerabilities in the 2019-08-01 security update for Android, but it is up to manufacturers themselves to include these updates in their own variants of the operating system as soon as possible. How long that takes varies by manufacturer.