Skip to main content

Qualcomm Snapdragon CVE-2026-21368

| EUVDEUVD-2026-41926 MEDIUM
Out-of-bounds Write (CWE-787)
2026-07-06 qualcomm GHSA-v9qv-qmj7-ghvr
5.3
CVSS 3.1 · Vendor: qualcomm
Share

Severity by source

Vendor (qualcomm) PRIMARY
5.3 MEDIUM
AV:L/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L
vuln.today AI
5.3 MEDIUM

Local vector and high complexity reflect parser access requiring crafted memory conditions; scope change consistent with Snapdragon isolated subsystem architecture.

3.1 AV:L/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L
4.0 AV:L/AC:H/AT:P/PR:L/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:N

Primary rating from Vendor (qualcomm).

CVSS VectorVendor: qualcomm

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jul 06, 2026 - 21:30 vuln.today

DescriptionCVE.org

Memory Corruption when parsing jpeg commands due to unaccounted extra writes to the buffer during validation checks.

AnalysisAI

Out-of-bounds write in Qualcomm Snapdragon's JPEG command parser exposes local low-privilege users to memory corruption via crafted JPEG input. Validation checks within the parser fail to account for extra buffer writes, overwriting adjacent memory and enabling a scope change beyond the vulnerable component's boundary - consistent with Snapdragon's isolated subsystem architecture (DSP, camera ISP). …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain low-privilege local execution
Delivery
Access JPEG parser via camera HAL or codec API
Exploit
Submit crafted JPEG payload
Execution
Trigger validation undercount, causing out-of-bounds write
Persist
Corrupt adjacent memory across subsystem boundary
Impact
Achieve partial privilege escalation or code execution in higher-privilege component

Vulnerability AssessmentAI

Exploitation Requires local access to the target Snapdragon-based device with at least low-privilege execution (PR:L) - a locally installed application or shell session suffices; no network path exists (AV:L). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment CVSS rates this 5.3 Medium with AV:L/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A local attacker with a low-privilege application on a Snapdragon-powered Android device crafts a malicious JPEG payload designed to trigger the off-by-more write during validation. By invoking a camera HAL or media codec interface that routes input to the vulnerable Snapdragon JPEG parser, the attacker causes out-of-bounds memory writes that corrupt adjacent memory in a neighboring subsystem component. …
Remediation Apply the security update published in the Qualcomm July 2026 Security Bulletin (https://docs.qualcomm.com/product/publicresources/securitybulletin/july-2026-bulletin.html); the bulletin contains chipset-specific patch details. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-25293 CRITICAL
9.6 May 04

Buffer overflow in Qualcomm Snapdragon firmware enables authentication bypass on adjacent networks, allowing remote unau

CVE-2026-25268 HIGH
8.8 Jul 06

Local privilege escalation and memory corruption in Qualcomm Snapdragon WLAN firmware occurs when the driver parses malf

CVE-2026-25277 HIGH
8.8 Jun 01

Memory corruption in Qualcomm Snapdragon Strongbox component allows local low-privileged attackers to trigger a buffer o

CVE-2026-25276 HIGH
8.8 Jun 01

Local privilege escalation in Qualcomm Snapdragon chipsets stems from an out-of-bounds memory access in the Strongbox tr

CVE-2025-47392 HIGH
8.8 Apr 06

Memory corruption in Qualcomm Snapdragon chipsets allows adjacent network attackers to achieve arbitrary code execution

CVE-2026-24088 HIGH
8.2 Jun 01

Bootloader integrity bypass in Qualcomm Snapdragon platforms allows a high-privileged local attacker to write to a speci

CVE-2026-21379 HIGH
7.8 Jul 06

Local privilege escalation via memory corruption affects Qualcomm Snapdragon platforms, where allocating memory with siz

CVE-2025-59616 HIGH
7.8 Jul 06

Use-after-free memory corruption in Qualcomm Snapdragon platform driver code allows a local low-privileged process to tr

CVE-2025-59615 HIGH
7.8 Jul 06

Local privilege escalation via memory corruption affects a broad range of Qualcomm Snapdragon chipsets, where a use-afte

CVE-2026-25259 HIGH
7.8 Jun 01

Local privilege escalation in Qualcomm Snapdragon platforms is possible through memory corruption when processing multip

CVE-2026-25258 HIGH
7.8 Jun 01

Local privilege escalation in Qualcomm Snapdragon platforms stems from an out-of-bounds read (CWE-125) triggered during

CVE-2025-59606 HIGH
7.8 Jun 01

Local privilege escalation and memory corruption in Qualcomm Snapdragon platforms allows an attacker with low-privileged

Share

CVE-2026-21368 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy