Severity by source
AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Local IOCTL surface reachable only by an on-device app (AV:L, PR:L), reliably triggerable (AC:L), needing no separate user interaction, yielding full kernel-memory compromise (C/I/A:H).
Primary rating from Vendor (qualcomm).
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
6DescriptionNVD
Memory Corruption when processing multiple IOCTL calls with the same buffer file descriptor input.
AnalysisAI
Local privilege escalation and memory corruption in Qualcomm Snapdragon chipset drivers allows a malicious application to trigger a use-after-free by issuing multiple IOCTL calls that reference the same buffer file descriptor. The flaw affects a broad range of Snapdragon mobile, compute, connectivity (FastConnect/WCN/WCD/WSA) and XR platforms, and successful exploitation can corrupt kernel memory to gain high impact on confidentiality, integrity and availability. There is no public exploit identified at time of analysis, EPSS risk is very low (0.09%), and CISA SSVC rates exploitation as none.
Technical ContextAI
The root cause is CWE-416 (Use After Free): when a userspace client passes the same buffer file descriptor across multiple IOCTL invocations, the driver frees or releases the underlying buffer object while another reference to it remains live, so a subsequent operation dereferences dangling memory. This is a classic double-reference/double-free pattern in device-driver buffer management, likely within Qualcomm's kernel-mode driver stack handling DMA/graphics/multimedia buffers exposed to applications via the IOCTL interface. The CPE (cpe:2.3:a:qualcomm,_inc.:snapdragon) and the EUVD version list confirm the affected surface spans SoCs (Snapdragon 8 Elite Gen 5, 460/662 Mobile, SD865 5G, SC8380XP), XR platforms (XR2/XR2+ Gen 1, AR1 Gen 1), and Wi-Fi/audio codec parts (WCN, WCD, WSA, FastConnect families).
RemediationAI
Apply the Qualcomm-provided driver/firmware fixes referenced in the July 2026 Qualcomm Security Bulletin (https://docs.qualcomm.com/product/publicresources/securitybulletin/july-2026-bulletin.html); patch available per vendor advisory, but no single exact fix version is provided in the input, so the corrected package will be delivered through each OEM's Android/platform security update rather than a standalone version string. Because Snapdragon fixes ship via device-maker OTA updates, ensure devices are enrolled in and receiving the vendor's security patch level that includes this bulletin. Where patching lags, the practical compensating control is to restrict which applications can reach the vulnerable driver: limit installation to trusted/signed apps, avoid sideloading, and use MDM policy to block untrusted third-party apps, since exploitation requires local code execution on the device - the trade-off is reduced app flexibility for users. There is no network-facing workaround because the attack surface is the local IOCTL interface.
More in Snapdragon
View allBuffer overflow in Qualcomm Snapdragon firmware enables authentication bypass on adjacent networks, allowing remote unau
Local privilege escalation and memory corruption in Qualcomm Snapdragon WLAN firmware occurs when the driver parses malf
Memory corruption in Qualcomm Snapdragon Strongbox component allows local low-privileged attackers to trigger a buffer o
Local privilege escalation in Qualcomm Snapdragon chipsets stems from an out-of-bounds memory access in the Strongbox tr
Memory corruption in Qualcomm Snapdragon chipsets allows adjacent network attackers to achieve arbitrary code execution
Bootloader integrity bypass in Qualcomm Snapdragon platforms allows a high-privileged local attacker to write to a speci
Local privilege escalation via memory corruption affects Qualcomm Snapdragon platforms, where allocating memory with siz
Use-after-free memory corruption in Qualcomm Snapdragon platform driver code allows a local low-privileged process to tr
Local privilege escalation via memory corruption affects a broad range of Qualcomm Snapdragon chipsets, where a use-afte
Local privilege escalation in Qualcomm Snapdragon platforms is possible through memory corruption when processing multip
Local privilege escalation in Qualcomm Snapdragon platforms stems from an out-of-bounds read (CWE-125) triggered during
Local privilege escalation and memory corruption in Qualcomm Snapdragon platforms allows an attacker with low-privileged
Same weakness CWE-416 – Use After Free
View allSame technique Memory Corruption
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-210438
GHSA-p9g7-9rvq-fcj5