HIGH 7.8

CVE-2025-59605: Qualcomm Memory Corruption in Device Identifier Processing

CVE-2025-59605 is a memory corruption flaw affecting Qualcomm wireless and networking chipsets. When a device processes identifier strings longer than designed, the software fails to properly validate input length, allowing the overflow to corrupt adjacent memory regions. An attacker with local access and standard user privileges can exploit this to read sensitive data, modify system behavior, or crash the device. The vulnerability requires direct local access and cannot be exploited remotely.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.8 HIGH · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-787
Affected products
280 configuration(s)
Published / Modified
2026-06-01 / 2026-06-17

NVD description (verbatim)

Memory Corruption when processing device identifier strings that exceed the expected maximum length.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

This vulnerability is classified as an out-of-bounds write (CWE-787) in device identifier string processing across multiple Qualcomm platforms. The flaw occurs when firmware or drivers accept device identifier inputs exceeding their allocated buffer size without proper bounds checking. The resulting memory corruption can be leveraged for information disclosure, privilege escalation within the local security context, or denial of service. The CVSS 3.1 score of 7.8 (HIGH) reflects the combination of high confidentiality, integrity, and availability impact, mitigated only by the requirement for local access and low privilege context.

Business impact

Organizations deploying affected Qualcomm wireless chipsets—particularly in enterprise networking equipment, IoT devices, and gaming platforms—face risk of data exfiltration and system instability. Compromised devices could expose network credentials, customer data, or proprietary firmware. For IoT deployments and edge computing scenarios, this could compromise the trustworthiness of authentication and configuration data. Manufacturing and logistics environments using affected connectivity hardware should prioritize assessment of their device inventory and supply chain dependencies.

Affected systems

The vulnerability spans a broad range of Qualcomm platforms: Snapdragon gaming processors (G1 Gen 2, G2 Gen 1, G3X Gen 2), wireless connectivity modules (FastConnect 6200/6700/6800/6900/7800 series), automotive Ethernet controllers (AR8035), audio SoCs (CSRA6620, CSRA6640), and multiple Wi-Fi/Bluetooth chipsets (QCA6174A, QCA6391, QCA6574 variants, QCA6595, QAM8295P). Both firmware and hardware component listings indicate exposure across consumer devices, networking infrastructure, automotive systems, and IoT endpoints using these components.

Exploitability

Exploitation requires local system access and standard (non-root/non-administrative) user privileges, significantly reducing opportunistic attack surface compared to network-reachable vulnerabilities. The attack vector is local only (AV:L), and complexity is low (AC:L), meaning straightforward input manipulation can trigger the flaw once an attacker gains a foothold. The vulnerability is not currently tracked in CISA's Known Exploited Vulnerabilities catalog, though the relative simplicity of triggering memory corruption makes eventual public exploitation likely. Organizations should assume proof-of-concept code will emerge as patch deployment lags.

Remediation

Qualcomm has released firmware patches addressing input validation in the affected device identifier processing routines. Organizations should consult Qualcomm's security advisory for specific patch versions applicable to their hardware revisions. Patches typically involve implementing strict length validation before buffer operations and may require device firmware updates. For devices in production with limited update capability, network segmentation and access controls limiting local user accounts represent interim mitigations pending patch deployment.

Patch guidance

Contact your device manufacturer or Qualcomm directly for firmware updates applicable to your specific hardware SKU. Patch versions and timelines vary significantly across the broad product range affected. For enterprise deployments, coordinate with your vendor on staged rollout plans, as firmware updates often require device downtime or reconfiguration. Verify patch application through firmware version inspection post-update. For consumer and IoT devices, check manufacturer websites for over-the-air update availability.

Detection guidance

Monitor for unusual process behavior on systems using affected chipsets, particularly attempts to load or manipulate device identifier configurations via system calls or driver interfaces. System logs may show memory access violations, segmentation faults, or driver crashes clustering around device enumeration or identifier parsing routines. Network-attached devices should be monitored for unexpected resets or degraded performance. Host-based tools can audit changes to firmware revision strings and device configuration files. EDR solutions with firmware visibility provide heightened detection capability.

Why prioritize this

HIGH priority due to the memory corruption's potential for privilege escalation and information disclosure within the local security boundary, combined with the exceptionally broad scope—affecting dozens of Qualcomm platforms spanning gaming, automotive, IoT, and enterprise networking. While remote exploitation is not possible, the prevalence of these chipsets in managed and unmanaged environments means widespread exposure. Organizations managing heterogeneous device ecosystems should triage affected inventory early.

Risk score, explained

The CVSS 3.1 score of 7.8 reflects high impact to confidentiality, integrity, and availability balanced against the local attack vector and low privilege requirement. The 'HIGH' severity rating acknowledges the severity of potential impact—data exposure and system compromise—while the local-only and low-privilege requirements prevent a 'CRITICAL' designation. In environments where local privilege escalation is a realistic threat model (shared systems, IoT with physical access, development machines), the effective risk may exceed the base score.

Frequently asked questions

Do we need to patch immediately if we have devices with these chipsets?

Prioritize based on device role and network exposure. Automotive systems, industrial controllers, and edge devices handling sensitive data warrant immediate patching. Consumer-grade IoT devices with limited attack surface may follow standard patch cycles. Verify which specific SKUs in your inventory are affected using Qualcomm's compatibility matrix before scheduling maintenance windows.

Can this vulnerability be exploited remotely?

No. The attack vector is local only (AV:L), requiring an attacker to already have user-level access to the system. It cannot be exploited over the network, through email, or by an unauthenticated remote user. However, it remains a significant risk for systems with multiple local users or publicly accessible interfaces.

What should we do while waiting for patches?

Implement network segmentation to restrict which systems can communicate with affected devices. Disable unnecessary local user accounts and enforce strong authentication for any local access. Monitor firmware versions and device logs for anomalies. Subscribe to Qualcomm security advisories for patch availability. For critical infrastructure, consider temporary replacement with non-affected alternatives if viable.

How widespread is this vulnerability in real-world deployments?

Qualcomm chipsets are ubiquitous in smartphones, tablets, automotive infotainment, industrial IoT, gaming devices, and enterprise routers. The 40+ affected product SKUs suggest billions of potentially impacted devices globally. However, not all users will require patches—risk depends on your specific device models and the likelihood of local attacker access in your threat model.

This analysis is provided for informational purposes and does not constitute security advice specific to your organization. Patch versions, timelines, and availability vary by vendor and hardware SKU—verify all remediation guidance against official Qualcomm security advisories before implementation. The vulnerability is not currently listed in CISA's Known Exploited Vulnerabilities catalog but may be exploited in the future. Your organization should conduct its own risk assessment based on affected hardware inventory and local access threat models. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).