Severity by source
AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Memory Corruption when processing IOCTL requests with mismatched API versions due to concurrent modification of user-space buffer.
AnalysisAI
Memory corruption in Qualcomm Snapdragon affects the IOCTL request processing path, exploitable by a local attacker with high privileges who can win a race condition between API version validation and user-space buffer consumption. Successful exploitation yields high-impact confidentiality, integrity, and availability compromise despite the moderate overall CVSS score of 6.4, which is suppressed by the high attack complexity and privilege requirements. No public exploit code and no CISA KEV listing have been identified at time of analysis, limiting immediate widespread risk.
Technical ContextAI
The vulnerability is rooted in CWE-367 (Time-of-check Time-of-use, TOCTOU), a class of race condition in which a kernel driver reads a user-space buffer at check-time (e.g., to validate an API version) and then re-reads or acts on that same buffer at use-time, without holding exclusive ownership between the two operations. An attacker controlling a concurrent thread can modify the user-space buffer in the window between check and use, causing the driver to process data under a different (mismatched) API version context than was validated. The Snapdragon ecosystem - identified via CPE cpe:2.3:a:qualcomm,_inc.:snapdragon:*:*:*:*:*:*:*:* - uses IOCTL interfaces extensively for communication between user-space applications and privileged kernel drivers (e.g., GPU, DSP, modem subsystems). Mismatched API version handling in this context can corrupt internal kernel structures, leading to potential arbitrary code execution in kernel context. The 'Buffer Overflow' tag supplied alongside CWE-367 suggests the TOCTOU outcome manifests as an out-of-bounds write, likely overflowing a fixed-size kernel buffer sized for one API version with data from another.
RemediationAI
The primary remediation is to apply the patch distributed via Qualcomm's June 2026 Security Bulletin at https://docs.qualcomm.com/product/publicresources/securitybulletin/june-2026-bulletin.html. An exact patched firmware or driver version is not independently confirmed from the available data - consult the bulletin directly for per-SKU patch identifiers. OEM device makers should integrate the Qualcomm-provided fix into their firmware update pipelines and push updates to end-user devices promptly. As a compensating control where patching is delayed, organizations can restrict access to the vulnerable IOCTL interface by limiting which user-space processes are permitted to invoke it (e.g., via SELinux/seccomp policy tightening or mandatory access control rules on Android), accepting the trade-off of potentially reduced driver functionality for affected applications. Since PR:H is required, hardening privileged process isolation and auditing which applications hold elevated permissions on affected devices reduces the attacker pool that could reach this code path.
More in Snapdragon
View allBuffer overflow in Qualcomm Snapdragon firmware enables authentication bypass on adjacent networks, allowing remote unau
Memory corruption in Qualcomm Snapdragon Strongbox component allows local low-privileged attackers to trigger a buffer o
Local privilege escalation in Qualcomm Snapdragon chipsets stems from an out-of-bounds memory access in the Strongbox tr
Memory corruption in Qualcomm Snapdragon chipsets allows adjacent network attackers to achieve arbitrary code execution
Bootloader integrity bypass in Qualcomm Snapdragon platforms allows a high-privileged local attacker to write to a speci
Local privilege escalation in Qualcomm Snapdragon platforms is possible through memory corruption when processing multip
Local privilege escalation in Qualcomm Snapdragon platforms stems from an out-of-bounds read (CWE-125) triggered during
Local privilege escalation and memory corruption in Qualcomm Snapdragon platforms allows an attacker with low-privileged
Local privilege escalation via memory corruption in Qualcomm Snapdragon platform components allows an authenticated low-
Local memory corruption in Qualcomm Snapdragon platforms (CVE-2025-59604) allows a low-privileged local attacker to trig
Use-after-free vulnerability in Qualcomm Snapdragon chipsets enables local privilege escalation to achieve full device c
Memory corruption in Qualcomm Snapdragon allows local authenticated attackers with low privileges to achieve arbitrary c
Same technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-210023
GHSA-j87j-wfvp-42c4