Skip to main content

Snapdragon CVE-2026-21372

| EUVDEUVD-2026-19323 HIGH
Heap-based Buffer Overflow (CWE-122)
2026-04-06 qualcomm GHSA-73jc-v74h-5w6r
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
EUVD ID Assigned
Apr 06, 2026 - 16:00 euvd
EUVD-2026-19323
Analysis Generated
Apr 06, 2026 - 16:00 vuln.today
CVE Published
Apr 06, 2026 - 15:33 nvd
HIGH 7.8

DescriptionCVE.org

Memory Corruption when sending IOCTL requests with invalid buffer sizes during memcpy operations.

AnalysisAI

Local privilege escalation in Qualcomm Snapdragon components allows authenticated local attackers to corrupt kernel memory through malformed IOCTL requests. Exploitation requires low-privilege local access but no user interaction (CVSS 7.8, AV:L/PR:L). The vulnerability enables attackers to achieve high impact across confidentiality, integrity, and availability through unsafe memcpy operations that fail to validate buffer sizes. No public exploit identified at time of analysis, though the straightforward attack complexity (AC:L) suggests exploitation development is feasible for adversaries with local access.

Technical ContextAI

This vulnerability resides in the IOCTL (Input/Output Control) interface of Qualcomm Snapdragon driver code, which handles system calls between user-space applications and kernel-space drivers. The root cause is CWE-122 (heap-based buffer overflow), occurring when the driver performs memcpy operations without properly validating user-supplied buffer sizes passed through IOCTL requests. When an attacker crafts IOCTL calls with maliciously oversized or undersized buffer parameters, the unchecked memcpy operation writes beyond allocated memory boundaries, corrupting adjacent heap structures. Qualcomm Snapdragon processors are system-on-chip (SoC) platforms widely deployed in mobile devices, automotive systems, and IoT products, making this a hardware-firmware layer vulnerability affecting the core chipset driver stack rather than application-level software.

RemediationAI

Organizations should apply Qualcomm's security patches detailed in the April 2026 Security Bulletin available at https://docs.qualcomm.com/product/publicresources/securitybulletin/april-2026-bulletin.html, which will contain firmware updates with corrected buffer validation in IOCTL handlers. Device manufacturers (OEMs) must integrate these Qualcomm patches into their own firmware releases before end-user deployment, creating a multi-tier patching dependency that may delay availability. Until patched firmware becomes available and can be deployed, mitigating controls include restricting installation of untrusted applications through mobile device management policies, enforcing principle of least privilege to limit local user account capabilities, and implementing runtime application monitoring to detect anomalous IOCTL call patterns. For enterprise-managed devices, accelerating the firmware update cycle and prioritizing Snapdragon-based systems with access to sensitive data will reduce exposure windows.

CVE-2026-25293 CRITICAL
9.6 May 04

Buffer overflow in Qualcomm Snapdragon firmware enables authentication bypass on adjacent networks, allowing remote unau

CVE-2026-25268 HIGH
8.8 Jul 06

Local privilege escalation and memory corruption in Qualcomm Snapdragon WLAN firmware occurs when the driver parses malf

CVE-2026-25277 HIGH
8.8 Jun 01

Memory corruption in Qualcomm Snapdragon Strongbox component allows local low-privileged attackers to trigger a buffer o

CVE-2026-25276 HIGH
8.8 Jun 01

Local privilege escalation in Qualcomm Snapdragon chipsets stems from an out-of-bounds memory access in the Strongbox tr

CVE-2025-47392 HIGH
8.8 Apr 06

Memory corruption in Qualcomm Snapdragon chipsets allows adjacent network attackers to achieve arbitrary code execution

CVE-2026-24088 HIGH
8.2 Jun 01

Bootloader integrity bypass in Qualcomm Snapdragon platforms allows a high-privileged local attacker to write to a speci

CVE-2026-21379 HIGH
7.8 Jul 06

Local privilege escalation via memory corruption affects Qualcomm Snapdragon platforms, where allocating memory with siz

CVE-2025-59616 HIGH
7.8 Jul 06

Use-after-free memory corruption in Qualcomm Snapdragon platform driver code allows a local low-privileged process to tr

CVE-2025-59615 HIGH
7.8 Jul 06

Local privilege escalation via memory corruption affects a broad range of Qualcomm Snapdragon chipsets, where a use-afte

CVE-2026-25259 HIGH
7.8 Jun 01

Local privilege escalation in Qualcomm Snapdragon platforms is possible through memory corruption when processing multip

CVE-2026-25258 HIGH
7.8 Jun 01

Local privilege escalation in Qualcomm Snapdragon platforms stems from an out-of-bounds read (CWE-125) triggered during

CVE-2025-59606 HIGH
7.8 Jun 01

Local privilege escalation and memory corruption in Qualcomm Snapdragon platforms allows an attacker with low-privileged

Share

CVE-2026-21372 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy