CVE-2025-47400

| EUVD-2025-209231 HIGH
2026-04-06 qualcomm GHSA-m6mr-p6rr-qvh3
7.1
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

3
Analysis Generated
Apr 06, 2026 - 16:00 vuln.today
EUVD ID Assigned
Apr 06, 2026 - 16:00 euvd
EUVD-2025-209231
CVE Published
Apr 06, 2026 - 15:33 nvd
HIGH 7.1

Tags

Buffer Overflow

Description

Cryptographic issue while copying data to a destination buffer without validating its size.

Analysis

Buffer overread in Qualcomm Snapdragon cryptographic implementation allows authenticated local attackers to expose sensitive memory contents and potentially manipulate cryptographic operations. The vulnerability (CWE-126) stems from copying data to a destination buffer without size validation, creating high confidentiality and integrity risk. EPSS scoring and KEV status not available at time of analysis; no public exploit identified. Affects Qualcomm Snapdragon chipsets with fix documented in April 2026 security bulletin.

Technical Context

This vulnerability represents a CWE-126 buffer overread in Qualcomm's cryptographic subsystem implementation within Snapdragon chipsets. The flaw occurs when cryptographic operations copy data to destination buffers without proper bounds checking, allowing reads beyond allocated memory boundaries. Buffer overreads in cryptographic contexts are particularly severe because they can expose sensitive key material, authentication tokens, or other security-critical data residing in adjacent memory. The CPE identifier (cpe:2.3:a:qualcomm,_inc.:snapdragon) indicates this affects Qualcomm's Snapdragon product line broadly, which powers billions of mobile devices globally. The cryptographic nature suggests this could impact secure boot, trusted execution environments (TEE), encryption/decryption operations, or secure key storage mechanisms within the Snapdragon security architecture.

Affected Products

Qualcomm Snapdragon chipsets are affected per CPE identifier cpe:2.3:a:qualcomm,_inc.:snapdragon. Specific Snapdragon models and firmware versions are not detailed in available data but likely span multiple product generations given Qualcomm's security bulletin scope. This impacts mobile devices, tablets, automotive systems, IoT devices, and other products utilizing Qualcomm Snapdragon system-on-chip platforms. Complete device and version enumeration is available in Qualcomm's April 2026 Security Bulletin at https://docs.qualcomm.com/product/publicresources/securitybulletin/april-2026-bulletin.html.

Remediation

Device manufacturers and end users should apply security updates corresponding to Qualcomm's April 2026 Security Bulletin, available at https://docs.qualcomm.com/product/publicresources/securitybulletin/april-2026-bulletin.html. Exact patched firmware versions vary by device model and OEM implementation schedule. Enterprise environments should prioritize updating affected Snapdragon-based devices through mobile device management platforms once vendor patches become available. End users should install system updates from device manufacturers (Samsung, Xiaomi, OnePlus, etc.) as they incorporate Qualcomm's fixes into OEM firmware releases. No workarounds are documented; patching is the primary mitigation path. Organizations unable to patch immediately should enforce principle of least privilege for application installations and monitor for anomalous cryptographic operation failures or unexpected privilege escalation attempts.

Priority Score

36
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +36
POC: 0

Share

CVE-2025-47400 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy