Skip to content
Threat Feed
high advisory

CVE-2026-24091: Memory Corruption in Fastboot Command Processing

CVE-2026-24091 is a memory corruption vulnerability in Qualcomm devices that occurs when processing fastboot commands with improperly formatted input, potentially leading to code execution.

CVE-2026-24091 describes a memory corruption vulnerability affecting Qualcomm devices. The vulnerability stems from improper handling of malformed input during the processing of fastboot commands. Successful exploitation of this issue could allow an attacker with physical access to corrupt memory, potentially leading to code execution within the fastboot environment. This vulnerability was disclosed in Qualcomm’s June 2026 Security Bulletin. This issue poses a risk to device integrity and confidentiality, particularly in environments where unauthorized physical access to devices is possible.

Attack Chain

  1. Attacker gains physical access to a vulnerable Qualcomm device.
  2. Attacker places the device into fastboot mode (e.g., by holding specific button combinations during boot).
  3. Attacker connects the device to a host machine via USB.
  4. Attacker uses the fastboot tool to send a crafted, improperly formatted command to the device. This command triggers the memory corruption vulnerability.
  5. The vulnerable fastboot command processing routine on the device parses the malformed input.
  6. Due to insufficient input validation, the malformed input causes a buffer overflow or other memory corruption.
  7. The memory corruption leads to code execution within the fastboot environment on the device.
  8. Attacker gains control of the device or achieves data exfiltration.

Impact

Successful exploitation of CVE-2026-24091 can lead to arbitrary code execution on the affected device while in fastboot mode. An attacker with physical access could potentially use this vulnerability to bypass security features, install malicious firmware, or extract sensitive data. This poses a significant risk for devices containing sensitive information or those used in critical infrastructure.

Recommendation

  • Monitor process creations for instances of the fastboot command-line tool being invoked from unusual directories or with unusual arguments, as detected by the “Detect Fastboot Usage” Sigma rule.
  • Apply the security patches provided by Qualcomm as detailed in their June 2026 security bulletin.
  • Restrict physical access to devices to prevent unauthorized individuals from exploiting this vulnerability.
  • Deploy endpoint detection and response (EDR) solutions to monitor for suspicious memory access patterns that could indicate exploitation attempts.
  • Consider implementing policies that require secure boot and device attestation to mitigate the impact of potential firmware modifications.

Detection coverage 2

Detect Fastboot Usage

low

Detects the execution of the fastboot command-line tool, which may indicate attempts to exploit the CVE-2026-24091 vulnerability.

sigma tactics: initial_access techniques: T1542 sources: process_creation, windows

Detect Suspicious Memory Access by Fastboot

medium

Detects abnormal memory access patterns potentially related to memory corruption exploits initiated via fastboot commands. Focuses on access to protected memory regions after a fastboot process creation event.

sigma tactics: defense_evasion techniques: T1068 sources: process_creation, windows

Detection queries are available on the platform. Get full rules →