CVE-2025-47374

| EUVD-2025-209222 MEDIUM
2026-04-06 qualcomm
6.5
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:H
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
High
Availability
High

Lifecycle Timeline

3
Analysis Generated
Apr 06, 2026 - 16:00 vuln.today
EUVD ID Assigned
Apr 06, 2026 - 16:00 euvd
EUVD-2025-209222
CVE Published
Apr 06, 2026 - 15:33 nvd
MEDIUM 6.5

Tags

Use After Free Memory Corruption Buffer Overflow

Description

Memory Corruption when accessing freed memory due to concurrent fence deregistration and signal handling.

Analysis

Memory corruption via use-after-free in Qualcomm Snapdragon SDK occurs when concurrent fence deregistration and signal handling operations access freed memory, allowing authenticated local attackers with low privileges to achieve information disclosure and integrity/availability compromise. CVSS 6.5 reflects local attack vector with high complexity; no public exploit code or active exploitation confirmed at time of analysis.

Technical Context

This vulnerability stems from a use-after-free condition (CWE-416) in Qualcomm Snapdragon's memory management subsystem, specifically in the interaction between fence (synchronization primitive) deregistration logic and signal handling routines. The root cause involves improper synchronization or timing of memory deallocation-a fence object is freed while signal handlers or concurrent deregistration code paths still hold references to it. When the freed memory is subsequently accessed, it may contain attacker-controlled or uninitialized data, leading to potential code execution or data corruption. The vulnerability is classified under memory corruption and buffer overflow categories, indicating that the use-after-free may enable writing beyond intended boundaries or executing arbitrary instructions within the same process context.

Affected Products

Qualcomm Snapdragon SDK is affected across all versions as indicated by the CPE wildcard pattern (cpe:2.3:a:qualcomm,_inc.:snapdragon:*:*:*:*:*:*:*:*). Exact version boundaries are not specified in available data; affected versions likely include legacy and current Snapdragon releases across mobile, automotive, and embedded platforms. Qualcomm's April 2026 Security Bulletin (referenced) should be consulted for definitive version scoping and platform-specific details.

Remediation

Apply the security update provided in Qualcomm's April 2026 Security Bulletin (https://docs.qualcomm.com/product/publicresources/securitybulletin/april-2026-bulletin.html), which contains the patched Snapdragon SDK version addressing the concurrent fence deregistration issue. If immediate patching is not feasible, restrict local access to Snapdragon SDK components and disable or isolate signal handling routines that interact with fence deregistration where operationally safe. Monitor Qualcomm's advisory for platform-specific patch availability (mobile firmware OTA updates, SoC silicon revisions, SDK point releases) as remediation timelines vary across Snapdragon product tiers.

Priority Score

33
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +32
POC: 0

Share

CVE-2025-47374 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy