Skip to content
Threat Feed
high advisory

CVE-2025-47391 Qualcomm Memory Corruption Vulnerability

CVE-2025-47391 is a memory corruption vulnerability due to a stack-based buffer overflow (CWE-121) while processing a frame request, as detailed in the Qualcomm security bulletin for April 2026, potentially leading to arbitrary code execution.

CVE-2025-47391 is a critical memory corruption vulnerability affecting Qualcomm products. The vulnerability stems from a stack-based buffer overflow (CWE-121) triggered during the processing of a frame request. The vulnerability is detailed in the Qualcomm Security Bulletin for April 2026. A successful exploit could lead to arbitrary code execution within the context of the affected process. This vulnerability poses a significant risk to devices utilizing vulnerable Qualcomm components, potentially allowing attackers to gain unauthorized access and control. Defenders should prioritize identifying affected devices and applying necessary patches as soon as they become available.

Attack Chain

Since no specific exploit details are provided in the source, the following attack chain describes the general steps involved in exploiting a stack-based buffer overflow when processing a frame request.

  1. An attacker crafts a malicious frame request.
  2. The frame request is sent to the vulnerable Qualcomm component.
  3. The component’s software processes the frame request.
  4. A stack-based buffer overflow occurs due to insufficient bounds checking when handling the request.
  5. The attacker overwrites adjacent memory on the stack, including return addresses.
  6. Upon function return, execution is redirected to attacker-controlled code.
  7. The attacker executes arbitrary code, potentially gaining control of the device.

Impact

Successful exploitation of CVE-2025-47391 can lead to arbitrary code execution, potentially allowing an attacker to gain complete control over the affected device. Given the widespread use of Qualcomm components in mobile devices and other embedded systems, the impact could be significant, affecting a large number of users. The memory corruption vulnerability could allow for data theft, device compromise, and denial of service.

Recommendation

  • Monitor network traffic for suspicious frame requests targeting Qualcomm-based devices, and deploy the network connection rule below to detect unusual outbound activity after potential exploitation.
  • Analyze process memory for unusual code execution patterns, and implement the process creation rule to detect unexpected processes being launched.
  • Review and apply the security updates provided in the Qualcomm Security Bulletin for April 2026 to patch CVE-2025-47391.
  • Monitor for registry modifications indicative of persistence, using the registry_set rule below to detect unusual registry changes.

Detection coverage 3

Detect Suspicious Outbound Connection Post-Exploit

medium

Detects unusual outbound network connections from processes that may have been compromised after exploiting CVE-2025-47391

sigma tactics: command_and_control techniques: T1071.001 sources: network_connection, windows

Detect Suspicious Process Creation Post-Exploit

high

Detects the creation of suspicious processes after a potential exploit, such as CVE-2025-47391.

sigma tactics: execution techniques: T1059.001 sources: process_creation, windows

Detect Suspicious Registry Modification for Persistence

high

Detects suspicious registry modifications indicative of persistence after CVE-2025-47391 exploitation.

sigma tactics: persistence techniques: T1547.001 sources: registry_set, windows

Detection queries are kept inside the platform. Get full rules →

Indicators of compromise

1

email

1

url

TypeValue
urlhttps://docs.qualcomm.com/product/publicresources/securitybulletin/april-2026-bulletin.html
email[email protected]