medium advisory April 6, 2026

Qualcomm Transient Denial-of-Service via FILS Discovery Frames (CVE-2026-21367)

CVE-2026-21367 describes a transient denial-of-service vulnerability in Qualcomm products that occurs when processing nonstandard FILS Discovery Frames with out-of-range action sizes during initial scans, potentially leading to service disruption.

CVE-2026-21367 is a vulnerability affecting Qualcomm products that results in a transient denial-of-service (DoS). The vulnerability stems from the processing of nonstandard Fine Timing Measurement (FTM) Initial Link Setup (FILS) Discovery Frames which contain out-of-range action sizes during the initial network scanning phase. This issue can be triggered remotely, potentially disrupting the availability of services provided by the affected Qualcomm devices. The vulnerability was disclosed in the Qualcomm security bulletin for April 2026. Successful exploitation leads to temporary service unavailability, impacting user experience and potentially network stability.

Attack Chain

An attacker crafts a malicious FILS Discovery Frame with out-of-range action sizes.
The attacker transmits the crafted FILS Discovery Frame to a Qualcomm device during its initial network scan.
The Qualcomm device receives the malicious frame and attempts to process the out-of-range action size.
Due to improper bounds checking, the processing of the frame triggers a buffer over-read condition (CWE-126).
The buffer over-read leads to a temporary system instability.
The device experiences a transient denial-of-service condition.
The affected service becomes temporarily unavailable to legitimate users.
After a short period, the device recovers, and the service resumes normal operation.

Impact

Successful exploitation of CVE-2026-21367 leads to a transient denial-of-service condition on affected Qualcomm devices. The specific impact depends on the role of the device. This vulnerability has a CVSS v3.1 score of 7.6, indicating a high severity. While the DoS is transient, repeated exploitation could create a prolonged disruption, hindering user access and potentially affecting critical device functionalities.

Recommendation

Monitor network traffic for malformed FILS Discovery Frames, specifically those with unusually large action sizes, using network monitoring tools (network_connection log source).
Apply the patches or updates provided by Qualcomm as detailed in the April 2026 security bulletin to remediate CVE-2026-21367 (reference: https://docs.qualcomm.com/product/publicresources/securitybulletin/april-2026-bulletin.html).
Implement rate limiting on FILS Discovery Frame processing to mitigate the impact of malicious frames (network_connection log source).

Detection coverage 2

Detect FILS Discovery Frames with Large Action Sizes

medium

Detects network connections with potentially malicious FILS Discovery Frames based on abnormally large action sizes.

sigma tactics: availability techniques: T1498 sources: network_connection, linux

Detect Multiple FILS Discovery Frame Anomalies from Single Source

high

Detects potential denial-of-service attacks based on a high rate of FILS Discovery Frames originating from a single source IP address.

sigma tactics: availability techniques: T1498 sources: network_connection, linux

Detection queries are kept inside the platform. Get full rules →

Indicators of compromise

Type	Value
email	[email protected]
email	[email protected]