{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/qualcomm/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7.8,"id":"CVE-2025-47407"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["memory-corruption","dsp","qualcomm","cve-2025-47407"],"_cs_type":"advisory","_cs_vendors":["Qualcomm"],"content_html":"\u003cp\u003eCVE-2025-47407 is a memory corruption vulnerability reported by Qualcomm, Inc., affecting digital signal processors (DSPs). The vulnerability stems from an allocation failure at the kernel level during process creation on the DSP. This can lead to memory corruption, potentially allowing an attacker to execute arbitrary code with elevated privileges. While the exact products affected are not specified, the issue resides within Qualcomm DSPs and could impact various devices utilizing these processors. This vulnerability was published on May 4, 2026, and requires patching of the affected DSP firmware to mitigate the risk.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a device containing a vulnerable Qualcomm DSP.\u003c/li\u003e\n\u003cli\u003eThe attacker triggers a process creation event on the DSP. This could involve sending a specifically crafted request to the DSP or exploiting another vulnerability to initiate the process creation.\u003c/li\u003e\n\u003cli\u003eDuring the process creation, a memory allocation failure occurs within the DSP kernel.\u003c/li\u003e\n\u003cli\u003eThis allocation failure leads to memory corruption, where data is written to an incorrect memory location.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the memory corruption to overwrite critical kernel data structures or code.\u003c/li\u003e\n\u003cli\u003eThe attacker injects malicious code into the corrupted memory region.\u003c/li\u003e\n\u003cli\u003eThe DSP executes the injected malicious code, granting the attacker control over the DSP.\u003c/li\u003e\n\u003cli\u003eThe attacker can then use the compromised DSP to further compromise the device or network it is connected to.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2025-47407 allows an attacker to execute arbitrary code on the DSP with elevated privileges. This can lead to a complete compromise of the affected device, allowing the attacker to steal sensitive data, install malware, or use the device as a launchpad for further attacks. The vulnerability can potentially impact a wide range of devices that utilize Qualcomm DSPs.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor process creation events for anomalies that may indicate a memory allocation failure, using the \u003ccode\u003eprocess_creation\u003c/code\u003e log category and filtering for processes related to the digital signal processor.\u003c/li\u003e\n\u003cli\u003eApply the security patch released by Qualcomm, as referenced in the advisory URL (\u003ca href=\"https://docs.qualcomm.com/product/publicresources/securitybulletin/may-2026-bulletin.html)\"\u003ehttps://docs.qualcomm.com/product/publicresources/securitybulletin/may-2026-bulletin.html)\u003c/a\u003e, to address the memory corruption vulnerability.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule provided below to detect potential exploitation attempts by monitoring for specific events related to process creation and memory allocation.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T17:16:21Z","date_published":"2026-05-04T17:16:21Z","id":"/briefs/2026-05-dsp-memory-corruption/","summary":"CVE-2025-47407 describes a memory corruption vulnerability affecting the digital signal processor due to allocation failure at the kernel level, potentially leading to arbitrary code execution with elevated privileges on affected systems.","title":"Memory Corruption Vulnerability in Digital Signal Processor (CVE-2025-47407)","url":"https://feed.craftedsignal.io/briefs/2026-05-dsp-memory-corruption/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.8,"id":"CVE-2026-21382"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["cve-2026-21382","buffer-overflow","memory-corruption","qualcomm"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-21382 describes a memory corruption vulnerability in Qualcomm products. The vulnerability stems from improper handling of power management requests with inadequately sized input/output buffers, which could lead to a buffer overflow (CWE-120). This vulnerability was reported by Qualcomm, Inc., and assigned a CVSS v3.1 score of 7.8. While the specific affected products are not detailed in the provided source, the advisory indicates it is part of the April 2026 Qualcomm security bulletin. Successful exploitation could lead to arbitrary code execution within the context of the affected power management component. Defenders should monitor for unusual activity related to power management processes and prioritize patching when updates become available.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains local access to a vulnerable Qualcomm device.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious power management request with an oversized input buffer.\u003c/li\u003e\n\u003cli\u003eThe crafted request is sent to the affected power management component.\u003c/li\u003e\n\u003cli\u003eThe component processes the request without properly validating the buffer size.\u003c/li\u003e\n\u003cli\u003eData from the oversized input buffer overflows into adjacent memory regions.\u003c/li\u003e\n\u003cli\u003eThe attacker overwrites critical data structures or executable code within memory.\u003c/li\u003e\n\u003cli\u003eThe system attempts to execute the corrupted code, leading to a crash or arbitrary code execution.\u003c/li\u003e\n\u003cli\u003eThe attacker gains control of the device or escalates privileges.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-21382 could allow an attacker to execute arbitrary code on a vulnerable Qualcomm device. Although the number of affected devices and specific sectors are not specified in the provided source, the impact of successful exploitation includes potential device compromise, data theft, or denial of service. Due to the high CVSS score, unpatched systems are at significant risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor process creation events for power management-related processes spawning unexpected child processes, using a rule similar to the example below.\u003c/li\u003e\n\u003cli\u003eAnalyze network connections from power management-related processes for suspicious outbound traffic to unusual ports or IPs.\u003c/li\u003e\n\u003cli\u003eInvestigate any crashes or unexpected reboots on Qualcomm-based devices, correlating them with power management events in system logs.\u003c/li\u003e\n\u003cli\u003eMonitor for registry modifications made by power management processes, specifically those related to loading custom drivers or libraries.\u003c/li\u003e\n\u003cli\u003eReview and apply the security updates outlined in the Qualcomm security bulletin for April 2026 to patch CVE-2026-21382 (\u003ca href=\"https://docs.qualcomm.com/product/publicresources/securitybulletin/april-2026-bulletin.html\"\u003ehttps://docs.qualcomm.com/product/publicresources/securitybulletin/april-2026-bulletin.html\u003c/a\u003e).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-06T16:16:31Z","date_published":"2026-04-06T16:16:31Z","id":"/briefs/2026-04-qualcomm-buffer-overflow/","summary":"CVE-2026-21382 is a memory corruption vulnerability related to handling power management requests with improperly sized input/output buffers, potentially leading to code execution.","title":"Qualcomm Memory Corruption Vulnerability CVE-2026-21382","url":"https://feed.craftedsignal.io/briefs/2026-04-qualcomm-buffer-overflow/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.8,"id":"CVE-2026-21374"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["cve","memory-corruption","qualcomm","sensor"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-21374 is a memory corruption vulnerability affecting Qualcomm chipsets. The vulnerability stems from insufficient buffer size validation when processing auxiliary sensor input/output control commands. This flaw could allow a local attacker with elevated privileges to potentially execute arbitrary code or cause a denial-of-service condition by exploiting the buffer over-read. The vulnerability was published on April 6, 2026, and assigned a CVSS v3.1 base score of 7.8. The affected components relate to handling sensor data, making devices relying heavily on sensor input (e.g., smartphones, IoT devices) particularly susceptible. Successful exploitation requires local access to the device, which limits the scope of potential attacks.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains local access to a device with a vulnerable Qualcomm chipset, potentially through physical access or prior exploitation of another vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious auxiliary sensor input/output control command.\u003c/li\u003e\n\u003cli\u003eThe attacker sends the crafted command to the sensor processing module.\u003c/li\u003e\n\u003cli\u003eThe sensor processing module attempts to process the command without proper buffer size validation.\u003c/li\u003e\n\u003cli\u003eDue to the insufficient validation, the module reads beyond the intended buffer, leading to a buffer over-read.\u003c/li\u003e\n\u003cli\u003eThe memory corruption occurs, potentially overwriting critical data or code within the system\u0026rsquo;s memory.\u003c/li\u003e\n\u003cli\u003eIf the overwritten memory contains executable code, the attacker can achieve arbitrary code execution with the privileges of the sensor processing module, which could be elevated.\u003c/li\u003e\n\u003cli\u003eThe attacker gains control of the device or causes a denial-of-service by crashing the system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-21374 can lead to arbitrary code execution with elevated privileges on affected devices. This could allow an attacker to install malware, steal sensitive data, or completely take control of the device. While the vulnerability requires local access, it poses a significant risk to devices that are frequently left unattended or are accessible to untrusted individuals. The number of potentially affected devices is substantial, given the widespread use of Qualcomm chipsets in mobile and IoT devices.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor for suspicious process creation events related to sensor processing modules or applications that interact with sensor data to identify potential exploitation attempts (see generic \u003ccode\u003eprocess_creation\u003c/code\u003e rule below, tune for specific Qualcomm binaries).\u003c/li\u003e\n\u003cli\u003eInvestigate any unexpected crashes or errors reported by sensor-related processes, as these could indicate memory corruption due to CVE-2026-21374.\u003c/li\u003e\n\u003cli\u003eApply security patches released by Qualcomm or device manufacturers as soon as they become available to address CVE-2026-21374 (reference: \u003ca href=\"https://docs.qualcomm.com/product/publicresources/securitybulletin/april-2026-bulletin.html)\"\u003ehttps://docs.qualcomm.com/product/publicresources/securitybulletin/april-2026-bulletin.html)\u003c/a\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-06T16:16:30Z","date_published":"2026-04-06T16:16:30Z","id":"/briefs/2026-04-qualcomm-cve-2026-21374/","summary":"CVE-2026-21374 describes a memory corruption vulnerability due to insufficient buffer size validation when processing auxiliary sensor input/output control commands, potentially allowing a local attacker to execute arbitrary code with elevated privileges.","title":"Qualcomm Memory Corruption Vulnerability in Auxiliary Sensor Processing (CVE-2026-21374)","url":"https://feed.craftedsignal.io/briefs/2026-04-qualcomm-cve-2026-21374/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.8,"id":"CVE-2026-21375"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["cve-2026-21375","qualcomm","memory-corruption","ioctl"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-21375 is a memory corruption vulnerability affecting certain Qualcomm chipsets. The vulnerability stems from a lack of proper size validation when accessing an output buffer during IOCTL (Input/Output Control) processing. This flaw, disclosed in the April 2026 Qualcomm security bulletin, allows a local attacker with limited privileges to potentially overwrite memory, leading to denial of service or even arbitrary code execution. Successful exploitation requires a malicious application or process to interact with the vulnerable IOCTL interface on the target device. The vulnerability is classified as a buffer over-read (CWE-126).\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA malicious application is installed on a device with a vulnerable Qualcomm chipset.\u003c/li\u003e\n\u003cli\u003eThe application gains the necessary permissions to interact with the device driver via IOCTL calls.\u003c/li\u003e\n\u003cli\u003eThe malicious application crafts a specific IOCTL request with a small output buffer size.\u003c/li\u003e\n\u003cli\u003eThe device driver processes the IOCTL request but fails to properly validate the output buffer size against the actual data being written.\u003c/li\u003e\n\u003cli\u003eThe driver attempts to write data exceeding the allocated buffer size.\u003c/li\u003e\n\u003cli\u003eThe excess data overwrites adjacent memory regions in kernel space.\u003c/li\u003e\n\u003cli\u003eThis memory corruption can lead to a crash or, with careful manipulation, arbitrary code execution.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-21375 can result in a denial-of-service condition, where the device becomes unstable or unresponsive. In more severe scenarios, a local attacker could leverage the memory corruption to achieve arbitrary code execution with elevated privileges. Given the widespread use of Qualcomm chipsets in mobile devices and embedded systems, the potential impact could affect millions of devices globally.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the security patches released by Qualcomm as detailed in the April 2026 security bulletin to remediate CVE-2026-21375.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for suspicious processes attempting to interact with device drivers, using the provided Sigma rule.\u003c/li\u003e\n\u003cli\u003eImplement runtime validation of IOCTL buffer sizes within kernel drivers to prevent buffer overflows (mitigation, not detection).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-06T16:16:30Z","date_published":"2026-04-06T16:16:30Z","id":"/briefs/2026-04-qualcomm-ioctl-memory-corruption/","summary":"CVE-2026-21375 is a memory corruption vulnerability in Qualcomm chipsets due to insufficient output buffer size validation during IOCTL processing, potentially leading to arbitrary code execution.","title":"Qualcomm IOCTL Memory Corruption Vulnerability (CVE-2026-21375)","url":"https://feed.craftedsignal.io/briefs/2026-04-qualcomm-ioctl-memory-corruption/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.8,"id":"CVE-2026-21376"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["memory-corruption","driver-vulnerability","qualcomm"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA memory corruption vulnerability, identified as CVE-2026-21376, affects Qualcomm camera sensor drivers. The vulnerability stems from the driver\u0026rsquo;s failure to validate the size of the output buffer when processing IOCTL calls. This lack of validation can lead to a buffer over-read condition, where the driver attempts to access memory beyond the allocated buffer, resulting in memory corruption. The vulnerability was reported in the Qualcomm April 2026 Security Bulletin. Successful exploitation of this vulnerability could allow a local attacker to potentially execute arbitrary code with elevated privileges. This poses a significant risk to devices using affected Qualcomm camera sensor drivers.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA malicious application is installed on the target device.\u003c/li\u003e\n\u003cli\u003eThe application gains necessary privileges to interact with the camera sensor driver. This could potentially be achieved through exploiting other vulnerabilities or due to misconfigured permissions.\u003c/li\u003e\n\u003cli\u003eThe application sends a crafted IOCTL request to the camera sensor driver.\u003c/li\u003e\n\u003cli\u003eThe crafted IOCTL request triggers a specific function within the driver that accesses an output buffer.\u003c/li\u003e\n\u003cli\u003eThe driver fails to validate the size of the output buffer before writing data to it.\u003c/li\u003e\n\u003cli\u003eDue to the insufficient size validation, the driver writes beyond the bounds of the allocated buffer, leading to a buffer over-read condition.\u003c/li\u003e\n\u003cli\u003eMemory corruption occurs as a result of the out-of-bounds write, potentially overwriting critical data structures or code.\u003c/li\u003e\n\u003cli\u003eAn attacker may leverage the memory corruption to execute arbitrary code with the privileges of the camera sensor driver.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-21376 can lead to memory corruption and potentially allow a local attacker to execute arbitrary code with elevated privileges. The number of affected devices is currently unknown, but this vulnerability affects systems utilizing Qualcomm camera sensor drivers. A successful attack could compromise the integrity and confidentiality of the device, potentially leading to data theft, system instability, or complete device compromise.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the patches provided in the Qualcomm April 2026 Security Bulletin to remediate CVE-2026-21376. (Reference: \u003ca href=\"https://docs.qualcomm.com/product/publicresources/securitybulletin/april-2026-bulletin.html\"\u003ehttps://docs.qualcomm.com/product/publicresources/securitybulletin/april-2026-bulletin.html\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for unusual processes spawned by camera-related drivers, using the Sigma rule provided below, to detect potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eImplement runtime buffer size validation in camera drivers, to prevent future exploitation attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-06T16:16:30Z","date_published":"2026-04-06T16:16:30Z","id":"/briefs/2026-04-qualcomm-camera-driver-memory-corruption/","summary":"A memory corruption vulnerability exists in Qualcomm camera sensor drivers due to insufficient output buffer size validation during IOCTL processing, potentially leading to arbitrary code execution.","title":"Qualcomm Camera Driver Memory Corruption Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-qualcomm-camera-driver-memory-corruption/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.6,"id":"CVE-2026-21367"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["dos","qualcomm","cve-2026-21367"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-21367 is a vulnerability affecting Qualcomm products that results in a transient denial-of-service (DoS). The vulnerability stems from the processing of nonstandard Fine Timing Measurement (FTM) Initial Link Setup (FILS) Discovery Frames which contain out-of-range action sizes during the initial network scanning phase. This issue can be triggered remotely, potentially disrupting the availability of services provided by the affected Qualcomm devices. The vulnerability was disclosed in the Qualcomm security bulletin for April 2026. Successful exploitation leads to temporary service unavailability, impacting user experience and potentially network stability.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious FILS Discovery Frame with out-of-range action sizes.\u003c/li\u003e\n\u003cli\u003eThe attacker transmits the crafted FILS Discovery Frame to a Qualcomm device during its initial network scan.\u003c/li\u003e\n\u003cli\u003eThe Qualcomm device receives the malicious frame and attempts to process the out-of-range action size.\u003c/li\u003e\n\u003cli\u003eDue to improper bounds checking, the processing of the frame triggers a buffer over-read condition (CWE-126).\u003c/li\u003e\n\u003cli\u003eThe buffer over-read leads to a temporary system instability.\u003c/li\u003e\n\u003cli\u003eThe device experiences a transient denial-of-service condition.\u003c/li\u003e\n\u003cli\u003eThe affected service becomes temporarily unavailable to legitimate users.\u003c/li\u003e\n\u003cli\u003eAfter a short period, the device recovers, and the service resumes normal operation.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-21367 leads to a transient denial-of-service condition on affected Qualcomm devices. The specific impact depends on the role of the device. This vulnerability has a CVSS v3.1 score of 7.6, indicating a high severity. While the DoS is transient, repeated exploitation could create a prolonged disruption, hindering user access and potentially affecting critical device functionalities.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor network traffic for malformed FILS Discovery Frames, specifically those with unusually large action sizes, using network monitoring tools (network_connection log source).\u003c/li\u003e\n\u003cli\u003eApply the patches or updates provided by Qualcomm as detailed in the April 2026 security bulletin to remediate CVE-2026-21367 (reference: \u003ca href=\"https://docs.qualcomm.com/product/publicresources/securitybulletin/april-2026-bulletin.html)\"\u003ehttps://docs.qualcomm.com/product/publicresources/securitybulletin/april-2026-bulletin.html)\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eImplement rate limiting on FILS Discovery Frame processing to mitigate the impact of malicious frames (network_connection log source).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-06T16:16:29Z","date_published":"2026-04-06T16:16:29Z","id":"/briefs/2026-04-qualcomm-dos/","summary":"CVE-2026-21367 describes a transient denial-of-service vulnerability in Qualcomm products that occurs when processing nonstandard FILS Discovery Frames with out-of-range action sizes during initial scans, potentially leading to service disruption.","title":"Qualcomm Transient Denial-of-Service via FILS Discovery Frames (CVE-2026-21367)","url":"https://feed.craftedsignal.io/briefs/2026-04-qualcomm-dos/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.8,"id":"CVE-2026-21371"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["cve","memory-corruption","qualcomm"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-21371 is a memory corruption vulnerability present in certain Qualcomm products. The vulnerability stems from insufficient size validation when retrieving an output buffer. This flaw can lead to a buffer over-read (CWE-126), potentially allowing a malicious actor with local access to read sensitive information from memory or execute arbitrary code. The vulnerability was reported by Qualcomm and affects undisclosed products. Publicly available information is limited, making it difficult to assess the scope of the vulnerability and precise exploitation scenarios. Defenders should monitor for unexpected memory access patterns in Qualcomm-based systems.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains local access to a vulnerable device running a Qualcomm chipset.\u003c/li\u003e\n\u003cli\u003eThe attacker triggers a specific function call that involves retrieving an output buffer.\u003c/li\u003e\n\u003cli\u003eDue to the insufficient size validation, the output buffer retrieval process reads beyond the allocated memory boundary (CWE-126).\u003c/li\u003e\n\u003cli\u003eThe memory over-read allows the attacker to access sensitive data stored in adjacent memory regions.\u003c/li\u003e\n\u003cli\u003eThe attacker analyzes the leaked memory contents to identify exploitable information, such as pointers, cryptographic keys, or other sensitive data.\u003c/li\u003e\n\u003cli\u003eUsing the gained knowledge, the attacker crafts a malicious input to further exploit the vulnerability and achieve arbitrary code execution.\u003c/li\u003e\n\u003cli\u003eThe attacker executes malicious code to gain elevated privileges or compromise the system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful exploit of CVE-2026-21371 could result in information disclosure, where an attacker can read sensitive data from device memory. In a more severe scenario, it could lead to arbitrary code execution, potentially allowing an attacker to gain complete control of the affected device. The impact is significant for devices using vulnerable Qualcomm chipsets, potentially affecting a large number of mobile devices and other embedded systems.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor systems for unexpected memory access patterns, specifically buffer over-reads, using endpoint detection and response (EDR) solutions.\u003c/li\u003e\n\u003cli\u003eApply patches and updates released by Qualcomm for CVE-2026-21371 as soon as they become available. Refer to the Qualcomm security bulletin referenced in this brief.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Potential Buffer Over-Read Exploitation\u0026rdquo; to identify suspicious process creation events associated with abnormal memory access patterns.\u003c/li\u003e\n\u003cli\u003eEnable process monitoring and auditing on systems utilizing Qualcomm chipsets to track memory access operations and identify potential exploitation attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-06T16:16:29Z","date_published":"2026-04-06T16:16:29Z","id":"/briefs/2026-04-qualcomm-memory-corruption/","summary":"CVE-2026-21371 is a memory corruption vulnerability due to insufficient size validation when retrieving an output buffer, potentially leading to information disclosure or arbitrary code execution on affected Qualcomm devices.","title":"Qualcomm Memory Corruption Vulnerability (CVE-2026-21371)","url":"https://feed.craftedsignal.io/briefs/2026-04-qualcomm-memory-corruption/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.8,"id":"CVE-2025-47391"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["cve-2025-47391","memory corruption","qualcomm","stack-based buffer overflow"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2025-47391 is a critical memory corruption vulnerability affecting Qualcomm products. The vulnerability stems from a stack-based buffer overflow (CWE-121) triggered during the processing of a frame request. The vulnerability is detailed in the Qualcomm Security Bulletin for April 2026. A successful exploit could lead to arbitrary code execution within the context of the affected process. This vulnerability poses a significant risk to devices utilizing vulnerable Qualcomm components, potentially allowing attackers to gain unauthorized access and control. Defenders should prioritize identifying affected devices and applying necessary patches as soon as they become available.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003cp\u003eSince no specific exploit details are provided in the source, the following attack chain describes the general steps involved in exploiting a stack-based buffer overflow when processing a frame request.\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious frame request.\u003c/li\u003e\n\u003cli\u003eThe frame request is sent to the vulnerable Qualcomm component.\u003c/li\u003e\n\u003cli\u003eThe component\u0026rsquo;s software processes the frame request.\u003c/li\u003e\n\u003cli\u003eA stack-based buffer overflow occurs due to insufficient bounds checking when handling the request.\u003c/li\u003e\n\u003cli\u003eThe attacker overwrites adjacent memory on the stack, including return addresses.\u003c/li\u003e\n\u003cli\u003eUpon function return, execution is redirected to attacker-controlled code.\u003c/li\u003e\n\u003cli\u003eThe attacker executes arbitrary code, potentially gaining control of the device.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2025-47391 can lead to arbitrary code execution, potentially allowing an attacker to gain complete control over the affected device. Given the widespread use of Qualcomm components in mobile devices and other embedded systems, the impact could be significant, affecting a large number of users. The memory corruption vulnerability could allow for data theft, device compromise, and denial of service.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor network traffic for suspicious frame requests targeting Qualcomm-based devices, and deploy the network connection rule below to detect unusual outbound activity after potential exploitation.\u003c/li\u003e\n\u003cli\u003eAnalyze process memory for unusual code execution patterns, and implement the process creation rule to detect unexpected processes being launched.\u003c/li\u003e\n\u003cli\u003eReview and apply the security updates provided in the Qualcomm Security Bulletin for April 2026 to patch CVE-2025-47391.\u003c/li\u003e\n\u003cli\u003eMonitor for registry modifications indicative of persistence, using the registry_set rule below to detect unusual registry changes.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-06T16:16:27Z","date_published":"2026-04-06T16:16:27Z","id":"/briefs/2026-04-cve-2025-47391/","summary":"CVE-2025-47391 is a memory corruption vulnerability due to a stack-based buffer overflow (CWE-121) while processing a frame request, as detailed in the Qualcomm security bulletin for April 2026, potentially leading to arbitrary code execution.","title":"CVE-2025-47391 Qualcomm Memory Corruption Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-cve-2025-47391/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.8,"id":"CVE-2025-47390"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["memory-corruption","jpeg","qualcomm"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2025-47390 describes a memory corruption vulnerability found in the JPEG driver related to the preprocessing of IOCTL requests. This vulnerability, reported by Qualcomm, could allow a local attacker to potentially corrupt memory leading to a crash or arbitrary code execution. This vulnerability is documented in the Qualcomm Security Bulletin for April 2026. Successful exploitation of this issue could lead to denial of service, local privilege escalation, or information disclosure, impacting the confidentiality, integrity, and availability of the system. Defenders should investigate systems using Qualcomm chipsets, prioritizing devices that handle JPEG image processing.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA malicious application is installed on the target device.\u003c/li\u003e\n\u003cli\u003eThe application crafts a specially crafted IOCTL request intended for the JPEG driver.\u003c/li\u003e\n\u003cli\u003eThe application sends the malicious IOCTL request to the JPEG driver via the device\u0026rsquo;s operating system API.\u003c/li\u003e\n\u003cli\u003eThe JPEG driver improperly processes the IOCTL request during the preprocessing stage.\u003c/li\u003e\n\u003cli\u003eDue to a buffer over-read (CWE-126), the driver reads beyond the allocated memory buffer.\u003c/li\u003e\n\u003cli\u003eThis memory corruption could lead to a crash, denial of service, or the potential to overwrite adjacent memory regions.\u003c/li\u003e\n\u003cli\u003eIf the attacker can control the overwritten memory, they may be able to inject and execute arbitrary code.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2025-47390 can lead to memory corruption, potentially resulting in a denial-of-service condition. In more severe scenarios, attackers could potentially gain arbitrary code execution and escalate their privileges on the targeted system. This vulnerability affects devices utilizing the vulnerable Qualcomm JPEG driver. The specific number of affected devices is unknown.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the patches released by Qualcomm as detailed in the Qualcomm Security Bulletin for April 2026 to remediate CVE-2025-47390.\u003c/li\u003e\n\u003cli\u003eMonitor process creations for applications interacting with the JPEG driver using suspicious IOCTL requests to identify potential exploitation attempts (see the process creation Sigma rule below).\u003c/li\u003e\n\u003cli\u003eEnable driver verifier on test systems to proactively identify driver-level memory corruption issues.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-06T16:16:27Z","date_published":"2026-04-06T16:16:27Z","id":"/briefs/2026-04-jpeg-ioctl-memory-corruption/","summary":"A memory corruption vulnerability (CVE-2025-47390) exists while preprocessing IOCTL requests in the JPEG driver, potentially leading to local privilege escalation or denial of service.","title":"CVE-2025-47390: JPEG Driver IOCTL Memory Corruption Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-jpeg-ioctl-memory-corruption/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.8,"id":"CVE-2026-24082"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["cve-2026-24082","use-after-free","memory corruption","qualcomm"],"_cs_type":"advisory","_cs_vendors":["Qualcomm, Inc."],"content_html":"\u003cp\u003eCVE-2026-24082 is a memory corruption vulnerability reported by Qualcomm, stemming from a use-after-free condition. The vulnerability occurs during the execution of a performance counter deselect operation, specifically when copying data from a memory location that has already been freed. Successful exploitation of this vulnerability could allow a local attacker to execute arbitrary code with elevated privileges. The vulnerability was published on May 4, 2026, and assigned a CVSS v3.1 base score of 7.8. This poses a significant risk to devices and systems incorporating vulnerable Qualcomm components, potentially leading to device instability, data compromise, or complete system takeover.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA malicious application or process gains initial access to the system through a separate vulnerability or social engineering.\u003c/li\u003e\n\u003cli\u003eThe malicious application triggers the performance counter functionality.\u003c/li\u003e\n\u003cli\u003eThe application initiates a deselect operation on a specific performance counter.\u003c/li\u003e\n\u003cli\u003eDuring the deselect operation, the system attempts to copy data from a memory location associated with the performance counter.\u003c/li\u003e\n\u003cli\u003eDue to the vulnerability, the memory location has already been freed.\u003c/li\u003e\n\u003cli\u003eThe copy operation attempts to read from the freed memory, resulting in a use-after-free condition.\u003c/li\u003e\n\u003cli\u003eThis can lead to memory corruption, where arbitrary data is written to the freed memory region.\u003c/li\u003e\n\u003cli\u003eThe memory corruption can be leveraged by the attacker to execute arbitrary code with the privileges of the affected process.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-24082 can lead to memory corruption and arbitrary code execution. This could allow a local attacker to gain elevated privileges on the system, potentially leading to data theft, system compromise, or denial of service. The vulnerability affects devices and systems utilizing vulnerable Qualcomm components. The exact number of affected devices is not specified, but the potential impact is significant given Qualcomm\u0026rsquo;s widespread presence in mobile, IoT, and automotive industries.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor for unusual activity related to performance counter operations, specifically process creation events associated with performance monitoring tools using the Sigma rule \u003ccode\u003eDetectSuspiciousPerformanceCounterDeselect\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eInvestigate any instances of memory corruption or use-after-free errors, especially those occurring in Qualcomm-related processes, as indicated by system logs.\u003c/li\u003e\n\u003cli\u003eConsult the Qualcomm security bulletin for affected product lists and recommended mitigations at the provided URL.\u003c/li\u003e\n\u003cli\u003eEnable process creation logging to capture events necessary for the \u003ccode\u003eDetectSuspiciousPerformanceCounterDeselect\u003c/code\u003e rule.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-26T12:00:00Z","date_published":"2024-01-26T12:00:00Z","id":"/briefs/2024-01-qualcomm-cve-2026-24082/","summary":"CVE-2026-24082 is a use-after-free vulnerability in Qualcomm products that occurs when copying data from a freed source during a performance counter deselect operation, potentially leading to memory corruption and arbitrary code execution.","title":"Qualcomm Memory Corruption Vulnerability in Performance Counter Deselect Operation (CVE-2026-24082)","url":"https://feed.craftedsignal.io/briefs/2024-01-qualcomm-cve-2026-24082/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.8,"id":"CVE-2025-47405"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["cve-2025-47405","memory corruption","camera sensor","qualcomm"],"_cs_type":"advisory","_cs_vendors":["Qualcomm"],"content_html":"\u003cp\u003eCVE-2025-47405 is a high-severity vulnerability affecting Qualcomm products. It stems from a memory corruption issue that occurs when processing camera sensor input/output control codes with invalid output buffers. This vulnerability could be exploited by a local attacker with low privileges, potentially leading to memory corruption, denial of service, or arbitrary code execution. The vulnerability was reported to NIST on May 4, 2026. The specific Qualcomm products affected are not explicitly mentioned, but the issue lies within the camera sensor processing component. This vulnerability is concerning because successful exploitation could compromise the device\u0026rsquo;s integrity and availability.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA malicious application is installed on the target device, leveraging existing permissions or exploiting other vulnerabilities for installation.\u003c/li\u003e\n\u003cli\u003eThe malicious application gains low-level privileges, potentially through privilege escalation techniques, if necessary.\u003c/li\u003e\n\u003cli\u003eThe application interacts with the camera sensor through input/output control codes (IOCTLs).\u003c/li\u003e\n\u003cli\u003eThe application crafts a specific IOCTL request with an invalid output buffer size or memory address.\u003c/li\u003e\n\u003cli\u003eThe camera sensor processing component attempts to write data to the invalid output buffer.\u003c/li\u003e\n\u003cli\u003eThis write operation triggers a memory corruption condition due to the out-of-bounds access.\u003c/li\u003e\n\u003cli\u003eThe memory corruption can lead to a denial of service, causing the device to crash or become unresponsive.\u003c/li\u003e\n\u003cli\u003eIn more severe scenarios, the memory corruption could be leveraged to achieve arbitrary code execution, allowing the attacker to gain full control of the device.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2025-47405 can lead to a range of negative consequences, from denial of service to arbitrary code execution. If an attacker gains code execution, they could potentially steal sensitive data, install malware, or use the device as part of a botnet. The exact number of affected devices is unknown, but given Qualcomm\u0026rsquo;s widespread presence in mobile devices and other embedded systems, the potential impact is significant. Sectors affected would primarily be consumer electronics and potentially industrial control systems using affected Qualcomm components.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor for unexpected or malicious applications interacting with camera sensor devices, using process creation logs (logsource: process_creation, product: android).\u003c/li\u003e\n\u003cli\u003eImplement endpoint detection rules to detect suspicious process memory access patterns potentially related to memory corruption attempts (logsource: process_creation, product: android).\u003c/li\u003e\n\u003cli\u003eRefer to Qualcomm\u0026rsquo;s security bulletin for affected devices and patch information (references: \u003ca href=\"https://docs.qualcomm.com/product/publicresources/securitybulletin/may-2026-bulletin.html)\"\u003ehttps://docs.qualcomm.com/product/publicresources/securitybulletin/may-2026-bulletin.html)\u003c/a\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-23T10:00:00Z","date_published":"2024-01-23T10:00:00Z","id":"/briefs/2024-01-23-qualcomm-camera-memory-corruption/","summary":"CVE-2025-47405 is a memory corruption vulnerability in Qualcomm products related to processing camera sensor input/output control codes with invalid output buffers, potentially leading to arbitrary code execution.","title":"Qualcomm Camera Sensor Memory Corruption Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-23-qualcomm-camera-memory-corruption/"}],"language":"en","title":"CraftedSignal Threat Feed — Qualcomm","version":"https://jsonfeed.org/version/1.1"}