CVE-2025-59604: Qualcomm Snapdragon Memory Corruption Vulnerability – HIGH Severity
CVE-2025-59604 is a memory corruption vulnerability affecting Qualcomm Snapdragon processors across multiple generations. The flaw occurs during memory copy operations when a null pointer is dereferenced, causing invalid writes to memory. An attacker with local access to a device can exploit this to gain elevated privileges and potentially read or modify sensitive data. The vulnerability is rated HIGH severity and requires local execution context, meaning an attacker must already have a foothold on the device.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.8 HIGH · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-476
- Affected products
- 530 configuration(s)
- Published / Modified
- 2026-06-01 / 2026-06-17
NVD description (verbatim)
Memory Corruption when running a memory copy operation due to invalid writes caused by a null pointer.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
This vulnerability stems from a null pointer dereference (CWE-476) during a memory copy operation. When the affected code path attempts to write to memory without first validating that a critical pointer has been properly initialized, it can write to arbitrary memory locations or cause a crash. The CVSS v3.1 vector (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) indicates local attack vector, low complexity, low privilege requirement, and high impact across confidentiality, integrity, and availability. This suggests the vulnerability resides in kernel or firmware-level code accessible to local processes with limited privileges.
Business impact
Exploitation could allow an attacker to escalate privileges on affected mobile devices, potentially gaining access to sensitive user data, compromised device functionality, or persistent control. For organizations managing fleets of devices running affected Snapdragon chipsets—including enterprise Android deployments—this represents a significant risk to device security posture and data protection compliance. The breadth of affected processor generations means remediation planning must span multiple device models and manufacturers.
Affected systems
The vulnerability affects a wide range of Qualcomm Snapdragon mobile platforms, including the budget-oriented 480 and 662 series, mid-range 6 and 7 series (across multiple generations), high-end 7+ and 8 Elite lineups, and compute-focused 7c+ platforms. Both the processor firmware and the mobile platform components are listed as vulnerable. Device manufacturers using these chipsets—including Samsung, Xiaomi, OPPO, and others—must coordinate patching efforts with Qualcomm.
Exploitability
Exploitation requires local code execution with low-level privileges; no user interaction or special configuration is needed once an attacker achieves initial code execution on the device. The low complexity and broad processor coverage suggest this is not a convoluted edge case but a more straightforward memory safety issue. However, practical exploitation typically requires chaining with another vulnerability to gain initial local access, making this a secondary or tertiary exploitation vector in a real-world attack chain rather than a standalone entry point.
Remediation
Remediation requires a firmware update from Qualcomm addressing the null pointer validation in the affected memory copy routine. Device manufacturers must integrate this patch into their respective firmware builds and distribute updates through their normal OTA or security patch channels. Verification that the patch has been deployed should be validated against the specific firmware version reported on each device, as Qualcomm's security updates are often cumulative.
Patch guidance
Contact Qualcomm through official security advisory channels and your device manufacturer's security updates page for patched firmware versions. Qualcomm typically publishes security patches as part of monthly security bulletins; verify the specific firmware version numbers that address this CVE against Qualcomm's official security advisory. Organizations should prioritize patching high-end and mid-range devices first due to their prevalence in enterprise deployments, then extend to budget-tier devices. Test patches in a controlled environment before mass deployment.
Detection guidance
At the host level, monitor system logs and crash dumps for kernel panics or memory access violations originating from the affected memory copy routines. Firmware-level instrumentation or vendor-specific security tools may detect malformed memory writes. At the network level, detection is limited since the vulnerability requires local execution; focus detection efforts on identifying devices that have not yet received the patch through device inventory and firmware version scanning. Endpoint detection and response (EDR) solutions may identify privilege escalation attempts following exploitation.
Why prioritize this
Despite the HIGH CVSS score and broad device impact, this vulnerability requires pre-existing local code execution and is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog. Prioritize based on device inventory exposure (count and role of affected Snapdragon devices), your threat model's likelihood of local compromise, and dependencies on affected processor generations. Organizations with strict BYOD policies or those managing consumer devices should elevate priority; those with tightly controlled enterprise-only fleets may defer slightly pending patch availability confirmation.
Risk score, explained
The CVSS 7.8/10 HIGH score reflects the local attack requirement (AV:L), low attack complexity (AC:L), and moderate privilege threshold (PR:L), balanced against severe impact—high confidentiality, integrity, and availability compromise (C:H, I:H, A:H). The score does not account for exploitation tooling maturity or real-world deployment frequency, which should inform your internal risk weighting. Organizations running numerous consumer or mid-market devices with affected chipsets should treat this as functionally CRITICAL until patches are deployed; those with limited exposure may view it as HIGH but deferred.
Frequently asked questions
Does this vulnerability allow remote exploitation?
No. The CVSS vector indicates a local attack vector (AV:L), meaning an attacker must have local code execution on the device first. Remote exploitation is not possible without a separate vulnerability to gain initial access.
Which devices are affected?
Any device using a Qualcomm Snapdragon processor from the affected list—spanning budget 400-series, mid-range 6/7-series, high-end 8 Elite, and specialized compute platforms. Check your device's chipset against the vendors_products list in the CVE record and verify your current firmware version against Qualcomm's security bulletin.
When should we expect patches from Qualcomm?
Qualcomm publishes security patches monthly. Verify Qualcomm's official security bulletin for the specific affected firmware versions and patched versions. Device manufacturers may release patches on their own timeline after receiving Qualcomm's update, so check your device maker's security updates page for availability.
What happens if a device is exploited via this vulnerability?
An attacker with local code execution could potentially escalate privileges, read sensitive data from memory, modify or corrupt data, or cause a denial of service. Real-world impact depends on what additional vulnerabilities the attacker chains with this one to gain initial device access.
This analysis is based on publicly available CVE data as of the publication date. Patch version numbers and specific firmware versions should be verified against official Qualcomm security advisories and your device manufacturer's security update channels. This vulnerability does not currently appear on CISA's Known Exploited Vulnerabilities list. Exploitation requires pre-existing local code execution; no active exploitation in the wild has been publicly confirmed at the time of writing. Organizations should verify applicability to their specific device inventory before allocating remediation resources. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2025-59606HIGHQualcomm Chipset Memory Corruption Local Privilege Escalation
- CVE-2025-70099HIGHNULL Pointer Dereference in lwext4 Directory Parsing (Denial of Service)
- CVE-2026-37226HIGHFlexRIC iApp Denial-of-Service via Invalid E2 Node Subscription
- CVE-2026-37230HIGHFlexRIC v2.0.0 RIC_INDICATION Denial-of-Service Vulnerability
- CVE-2026-46110HIGHLinux stmmac NULL Dereference DoS Vulnerability
- CVE-2026-46114HIGHLinux Kernel RDMA RXE Remote Memory Leak via Malformed ATOMIC_WRITE
- CVE-2025-60477MEDIUMMP4Box NULL Pointer Dereference Denial of Service
- CVE-2025-60481MEDIUMGPAC MP4Box NULL Pointer DoS Vulnerability (v26.02.0 Patch)