Skip to main content

Qualcomm

Vendor security scorecard – 13 CVEs in the selected period

Period: 30d 90d 6m 1y All
Risk 22
13
CVEs
1
Critical
3
High
0
KEV
0
PoC
1
Unpatched C/H
76.9%
Patch Rate
0.0%
Avg EPSS

Severity Breakdown

CRITICAL
1
HIGH
3
MEDIUM
6
LOW
0

Monthly CVE Trend

Top Risky CVEs

CVE Summary Severity CVSS EPSS Priority Signals
CVE-2026-53046 Denial-of-service (NULL-pointer dereference / use-after-free) in the Linux kernel's in-kernel SMB3 server (ksmbd) affects systems that offload SMB3 message encryption to asynchronous hardware crypto engines such as the Qualcomm Crypto Engine (QCE). ksmbd_crypt_message() installs a NULL completion callback and misinterprets the -EINPROGRESS return from async AEAD requests as a fatal error, freeing the request while the hardware DMA is still running so the later qce_skcipher_done() callback dereferences freed memory and crashes the kernel. There is no public exploit identified at time of analysis, it is not in CISA KEV, and EPSS is low (0.18%, 8th percentile), consistent with the narrow hardware/configuration prerequisites despite the NVD CVSS of 9.8. CRITICAL 9.8 0.2% 49
CVE-2026-43347 Memory corruption in Linux kernel on Qualcomm Monaco-based ARM64 platforms causes kernel crashes through synchronous external aborts when accessing hypervisor-owned memory incorrectly marked as conventional RAM. The firmware's EFI memory map only reserves 288 KiB of a 512 KiB Gunyah hypervisor metadata region (0x91a80000-0x91afffff), leaving 224 KiB exploitable for triggering fatal aborts. Patches available for stable branches 6.18.24, 6.19.14, and 7.0 series. EPSS exploitation probability is very low (0.02%, 4th percentile) with no known active exploitation or public POC, indicating limited real-world threat despite CVSS 7.5 rating. HIGH 7.5 0.0% 38
CVE-2026-46055 Out-of-bounds read in the Linux kernel's AppArmor LSM subsystem (security/apparmor/match.c) allows a local low-privileged user to trigger a KASAN slab-out-of-bounds read via the mount() syscall on kernels 7.0 through 7.0.3 and 7.1-rc1. The flaw stems from a missing string terminator that causes aa_dfa_match() to read past the end of an 8KB kmalloc buffer when processing mount path strings, resulting in potential information disclosure and system instability (denial of service). No public exploit identified at time of analysis, and EPSS probability is negligible at 0.02%. HIGH 7.1 0.0% 36
CVE-2026-43412 NULL pointer dereference in the Linux kernel's ASoC QCOM QDSP6 subsystem crashes systems built on Qualcomm SA8775P and SC8280XP SoCs during ADSP protection-domain restart cycles. The crash occurs because the q6apm-audio .remove callback prematurely deletes Runtime Descriptions (RTDs) containing q6apm DAI components during ASoC teardown, leaving those components still linked to the sound card and triggering a kernel oops on the subsequent rebind. Impact is limited to availability (kernel panic/denial of service); no public exploit has been identified at time of analysis, and EPSS at 0.02% reflects very low widespread exploitation probability. MEDIUM 5.5 0.0% 28
CVE-2025-39843 In the Linux kernel, the following vulnerability has been resolved: mm: slub: avoid wake up kswapd in set_track_prepare set_track_prepare() can incur lock recursion. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. MEDIUM 5.5 0.0% 28
CVE-2022-50371 In the Linux kernel, the following vulnerability has been resolved: led: qcom-lpg: Fix sleeping in atomic lpg_brighness_set() function can sleep, while led's brightness_set() callback must be. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. MEDIUM 5.5 0.0% 28
CVE-2026-23115 A race condition in the Linux kernel's serial driver allows local attackers with low privileges to bypass TTY device linkage during console configuration, potentially enabling unauthorized access to serial console interfaces on Qualcomm SoCs and other affected systems. The vulnerability stems from improper initialization ordering that fails to configure tty->port before uart_configure_port() is called, creating a window where user-space applications can open the console without proper driver linkage. No patch is currently available. MEDIUM 4.7 0.0% 24
CVE-2026-53339 In the Linux kernel, the following vulnerability has been resolved: i2c: qcom-cci: Fix NULL pointer dereference in cci_remove() On all modern platfo – 0.2% 0
CVE-2025-38558 In the Linux kernel, the following vulnerability has been resolved: usb: gadget: uvc: Initialize frame-based format color matching descriptor Fix NULL pointer crash in uvcg_framebased_make due to. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. This NULL Pointer Dereference vulnerability could allow attackers to crash the application by dereferencing a null pointer. MEDIUM 5.5 0.0% –
CVE-2025-39739 In the Linux kernel, the following vulnerability has been resolved: iommu/arm-smmu-qcom: Add SM6115 MDSS compatible Add the SM6115 MDSS compatible to clients compatible list, as it also needs that. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. MEDIUM 5.5 0.0% –
CVE-2025-43993 Dell Wireless 5932e and Qualcomm Snapdragon X62 Firmware and GNSS/GPS Driver, versions prior to 3.2.0.22 contain an Unquoted Search Path or Element vulnerability. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available. HIGH 7.8 0.0% –
No patch
CVE-2025-40108 In the Linux kernel, the following vulnerability has been resolved: serial: qcom-geni: Fix blocked task Revert commit 1afa70632c39 ("serial: qcom-geni: Enable PM runtime for serial driver") and its. No vendor patch available. – 0.0% –
No patch
CVE-2025-40152 In the Linux kernel, the following vulnerability has been resolved: drm/msm: Fix bootup splat with separate_gpu_drm modparam The drm_gem_for_each_gpuvm_bo() call from lookup_vma() accesses. No vendor patch available. – 0.0% –
No patch

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy