Skip to content
Threat Feed
high advisory

CVE-2026-24087: Memory Corruption in Fastboot OEM Command Processing

CVE-2026-24087 is a high-severity memory corruption vulnerability in Qualcomm components that occurs while processing fastboot OEM commands, potentially leading to code execution.

CVE-2026-24087 is a memory corruption vulnerability affecting Qualcomm components. The vulnerability stems from improper handling of fastboot OEM commands. An attacker with the ability to send crafted fastboot commands to a vulnerable device could potentially trigger memory corruption, leading to arbitrary code execution. The vulnerability is rated as HIGH severity with a CVSS v3.1 score of 7.2. This issue poses a significant risk to devices utilizing affected Qualcomm components as successful exploitation can lead to a complete compromise of the device. The Qualcomm security bulletin for June 2026 addresses this and other vulnerabilities.

Attack Chain

Due to lack of specific information on exploitation, the following is a general attack chain for memory corruption vulnerabilities:

  1. Attacker gains physical access to a device in fastboot mode.
  2. Attacker crafts a malicious fastboot OEM command specifically designed to trigger the memory corruption vulnerability (CVE-2026-24087).
  3. Attacker sends the crafted fastboot OEM command to the device via USB.
  4. The device’s fastboot implementation processes the malicious OEM command without proper validation.
  5. The improper processing leads to memory corruption, such as writing outside of allocated buffers.
  6. The memory corruption overwrites critical data or code within the device’s memory.
  7. The overwritten memory causes the device to crash or execute attacker-controlled code.
  8. The attacker achieves arbitrary code execution with elevated privileges on the device.

Impact

Successful exploitation of CVE-2026-24087 can lead to arbitrary code execution on vulnerable devices. This allows an attacker to gain complete control over the device, potentially stealing sensitive data, installing malware, or rendering the device unusable. Given the wide adoption of Qualcomm components in various mobile and embedded devices, this vulnerability poses a significant risk to a large number of users.

Recommendation

  • Apply the patches provided in the Qualcomm security bulletin for June 2026 to remediate CVE-2026-24087 (references).
  • Monitor for unusual fastboot command activity, specifically OEM commands, using network connection logs (rules).
  • Implement strict input validation and sanitization for fastboot OEM commands within device firmware (CWE-1286).

Detection coverage 2

Detect Fastboot OEM Command Traffic

low

Detects network traffic indicative of fastboot OEM commands being sent to a device.

sigma tactics: discovery sources: network_connection, windows

Detect CVE-2026-24087 Attempt - Large Fastboot OEM Command

medium

Detects CVE-2026-24087 exploitation attempt — Detects unusually large fastboot OEM commands which may indicate a memory corruption attempt.

sigma tactics: initial_access techniques: T1190 sources: network_connection, windows

Detection queries are available on the platform. Get full rules →