By vendor

Qualcomm vulnerabilities

Known CVEs affecting Qualcomm products, prioritized by severity, with SEC.co remediation and detection guidance.

12 published vulnerabilities

  • CVE-2026-24088HIGH 8.2

    CVE-2026-24088 is a cryptographic flaw in Qualcomm wireless and networking chipsets that allows a high-privileged attacker to bypass security controls and load a custom bootloader onto affected devices. The vulnerability stems from improper validation during firmware partition processing, enabling unauthorized modification of the boot sequence. This could allow an attacker with administrative or hardware-level access to inject malicious code that executes before the operating system, potentially taking complete control of the device.

  • CVE-2025-59604HIGH 7.8

    CVE-2025-59604 is a memory corruption vulnerability affecting Qualcomm Snapdragon processors across multiple generations. The flaw occurs during memory copy operations when a null pointer is dereferenced, causing invalid writes to memory. An attacker with local access to a device can exploit this to gain elevated privileges and potentially read or modify sensitive data. The vulnerability is rated HIGH severity and requires local execution context, meaning an attacker must already have a foothold on the device.

  • CVE-2025-59605HIGH 7.8

    CVE-2025-59605 is a memory corruption flaw affecting Qualcomm wireless and networking chipsets. When a device processes identifier strings longer than designed, the software fails to properly validate input length, allowing the overflow to corrupt adjacent memory regions. An attacker with local access and standard user privileges can exploit this to read sensitive data, modify system behavior, or crash the device. The vulnerability requires direct local access and cannot be exploited remotely.

  • CVE-2025-59606HIGH 7.8

    CVE-2025-59606 is a memory corruption vulnerability affecting multiple Qualcomm chipsets and wireless components. The flaw occurs when a device exhausts heap memory during secure data initialization, causing the firmware to write to invalid memory locations. An attacker with local access and limited privileges can exploit this to crash the system or potentially execute code with elevated permissions. This is a local privilege escalation risk rather than a remote attack vector.

  • CVE-2026-25260HIGH 7.8

    A memory corruption vulnerability in Qualcomm firmware and associated devices allows a local, authenticated attacker to corrupt memory by modifying shared buffers concurrently without the system validating those changes. This is a time-of-check-time-of-use (TOCTOU) style flaw where kernel or firmware code assumes a buffer's contents remain unchanged, but a malicious user-mode process modifies it between the check and actual use. The vulnerability requires local access and valid credentials but can lead to complete system compromise.

  • CVE-2026-24085HIGH 7.2

    A memory corruption vulnerability exists in multiple Qualcomm wireless chipsets and their firmware when processing display command line information. The flaw stems from improper initialization of a variable during command parsing, which could allow a high-privilege attacker with physical access to trigger memory corruption and potentially execute arbitrary code or crash the device. The vulnerability affects a broad range of Qualcomm wireless components used in enterprise and consumer devices.

  • CVE-2026-24090HIGH 7.1

    A cryptographic weakness in how Qualcomm processors handle partition table entries during boot allows a local attacker with standard user privileges to modify the boot process without authorization. This could enable an attacker to alter how a device loads its operating system or firmware, potentially leading to installation of malicious code or bypass of security controls. The vulnerability requires direct access to the device and cannot be exploited remotely.

  • CVE-2025-59613MEDIUM 6.7

    CVE-2025-59613 is a memory corruption vulnerability affecting Qualcomm wireless, compute, and AR/XR platforms. The flaw occurs when the system attempts to copy data into a buffer that is smaller than the source data being transferred, causing memory to be overwritten beyond the intended boundaries. An attacker with elevated privileges on the device could exploit this to corrupt memory and potentially compromise system integrity, confidentiality, or availability. The vulnerability requires local access and administrative-level permissions to trigger.

  • CVE-2025-59614MEDIUM 6.7

    A memory corruption flaw exists in multiple Qualcomm components when processing random number generator commands with an undersized output buffer. An attacker with high-level privileges on the local system can trigger this condition to corrupt memory, potentially achieving confidentiality, integrity, and availability compromise. The vulnerability requires administrator or equivalent access and cannot be exploited remotely.

  • CVE-2025-59601MEDIUM 6.5

    CVE-2025-59601 describes an information disclosure vulnerability in multiple Qualcomm wireless and audio components. When a device is factory reset through its powerline interface, sensitive configuration data may be exposed to an attacker with adjacent network access. This allows unauthorized parties to read device settings that should have been wiped during the reset process. The vulnerability does not allow modification of settings or denial of service, but the exposure of configuration details could enable further attacks or reveal sensitive operational parameters.

  • CVE-2025-59610MEDIUM 6.4

    A memory corruption vulnerability affects numerous Qualcomm chipsets and platforms when processing IOCTL (input/output control) requests that contain mismatched API versions. The flaw stems from concurrent modification of user-space buffers during processing, allowing a privileged local attacker to corrupt kernel memory and potentially gain elevated code execution. The vulnerability requires high privilege access and specific conditions to trigger, limiting opportunistic exploitation but posing significant risk in compromised or malicious insider scenarios.

  • CVE-2025-59609MEDIUM 5.5

    CVE-2025-59609 is a medium-severity information disclosure vulnerability affecting multiple Qualcomm wireless and audio chipset products. The flaw occurs when devices process Wi-Fi advertisement frames containing malformed MBSSID (Multiple BSSID) elements that are shorter than expected. An attacker with network proximity and valid credentials can craft these frames to trigger uninitialized memory access, potentially exposing sensitive data. The attack requires user interaction and specific network conditions to succeed, limiting its practical exploitability but still warranting prompt patching given the breadth of affected components.