HIGH 7.2

CVE-2026-24085: Qualcomm QCA Wireless Chipset Memory Corruption Vulnerability

A memory corruption vulnerability exists in multiple Qualcomm wireless chipsets and their firmware when processing display command line information. The flaw stems from improper initialization of a variable during command parsing, which could allow a high-privilege attacker with physical access to trigger memory corruption and potentially execute arbitrary code or crash the device. The vulnerability affects a broad range of Qualcomm wireless components used in enterprise and consumer devices.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.2 HIGH · CVSS:3.1/AV:P/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Weaknesses (CWE)
CWE-121
Affected products
546 configuration(s)
Published / Modified
2026-06-01 / 2026-06-17

NVD description (verbatim)

Memory Corruption when processing display command line information due to improper initialization of a variable.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-24085 is a stack-based buffer overflow (CWE-121) in Qualcomm QCA wireless chipsets and associated firmware. The vulnerability occurs during the parsing of display command line information due to inadequate variable initialization. An attacker with high privileges and physical access can supply malformed display commands that trigger out-of-bounds memory writes. The CVSS 3.1 score of 7.2 reflects high confidentiality, integrity, and availability impact, though exploitation requires physical access and elevated privileges. The attack vector is restricted to the local physical interface (AV:P), and no user interaction is required once access is obtained.

Business impact

This vulnerability poses a significant risk to devices incorporating affected Qualcomm chipsets, particularly in enterprise environments where physical security may be assumed but not absolute. Exploitation could lead to unauthorized code execution, firmware modification, or device denial of service. Organizations deploying these wireless components in infrastructure, IoT, or endpoint devices should assess exposure and prioritize firmware updates. The broad range of affected chipsets means impact analysis requires detailed device inventory mapping.

Affected systems

The vulnerability affects over 40 Qualcomm wireless chipset models and their associated firmware images, spanning WiFi, Bluetooth, and multi-radio modules including the QCA6391, QCA6564AU, QCA6574 series, QCA6595 series, QCA6678AQ, QCA6688AQ, QCA6696, QCA6698 variants, QCA6797AQ, QCA8081, QCA8337, QCA8386, QCA8695AU, QCA9367, and QCA9377 families. Both firmware and chipset drivers are affected. Organizations should cross-reference their wireless component bills of materials against this list to identify exposure.

Exploitability

Exploitation requires high privileges (PR:H) and physical access to the affected device, which substantially constrains real-world attack scenarios outside insider threat models. Once physical access and elevated privileges are obtained, the vulnerability can be triggered reliably without user interaction, as no network interaction or user involvement is required (UI:N). The scope is changed (S:C), meaning the vulnerability can affect resources beyond the vulnerable component itself. The lack of known public exploits and KEV listing suggests this remains a targeted rather than widespread attack vector, but the deterministic nature of memory corruption exploitation means proof-of-concept development is relatively straightforward for motivated attackers.

Remediation

Qualcomm has issued firmware updates addressing this vulnerability across affected chipset families. Organizations must obtain and deploy patched firmware versions from Qualcomm's security advisories or through their device manufacturers' update channels. The remediation requires coordinated firmware updates across chipset ecosystems, which may involve coordination with OEMs, system integrators, or network equipment vendors depending on deployment context. Verify specific patch versions against the official Qualcomm security bulletin for your chipset model.

Patch guidance

Contact Qualcomm or your device manufacturer to obtain patched firmware images for your specific QCA chipset model. Firmware updates must be applied according to your deployment architecture—this may involve bootloader updates, privileged firmware replacement, or vendor-specific update mechanisms. Test patches in a non-production environment first to ensure compatibility with your wireless drivers and system software. Maintain an inventory mapping devices to chipset models to streamline patch deployment. Given the breadth of affected products, prioritize devices in security-sensitive roles (authentication infrastructure, access points, embedded appliances) for early patching.

Detection guidance

Monitor systems for unusual behavior in wireless chipset firmware execution, particularly any anomalies in display command processing or unexpected firmware crashes. Network-based detection is limited due to the physical access requirement; focus on endpoint telemetry and firmware integrity monitoring. If your security operations center has access to chipset-level diagnostics, alert on memory access violations or stack smashing detection during display command parsing. Ensure device firmware logs and crash dumps are preserved and analyzed for evidence of exploitation attempts. For managed wireless infrastructure, monitor for unexpected device reboots or firmware state changes.

Why prioritize this

This is a HIGH-severity vulnerability affecting a pervasive component family across multiple device categories. The high CVSS score reflects severe impact potential (code execution, data compromise, availability loss). However, the requirement for physical access and high privileges substantially narrows the attack surface compared to remote vulnerabilities. Prioritize remediation for devices in high-security environments, those with non-physical access controls (e.g., shared lab equipment, remote sites), and infrastructure components where a single compromise has cascading effects. Organizations with strong physical security and insider threat programs can apply a measured approach; those without should treat this as critical.

Risk score, explained

The CVSS 3.1 score of 7.2 reflects the combination of high impact across all security dimensions (Confidentiality, Integrity, Availability all rated High) balanced against significant attack constraints. The local physical attack vector (AV:P) and high privilege requirement (PR:H) prevent this from reaching 8.0+, as does the requirement for the attacker to possess the device. The changed scope (S:C) indicates that successful exploitation affects more than the vulnerable chipset—it can compromise the host system or services relying on the wireless component. For organizations with robust physical security and insider threat controls, the practical risk may be lower than the numerical score suggests; for those without, the score should be considered a floor rather than a ceiling.

Frequently asked questions

Do I need to update all Qualcomm wireless devices immediately?

Prioritization depends on your threat model and deployment context. Devices in high-security environments, those with weak physical security, or equipment with critical availability requirements should be updated first. Devices in well-secured, monitored data centers with strong insider threat programs can follow a planned update schedule. However, given the scope of affected chipsets, you should have a patch deployment plan in place for all affected devices within 90 days.

How do I know if my device uses an affected Qualcomm chipset?

Check your device documentation, bill of materials, or system inventory for the wireless chipset model number. Cross-reference against the list of 40+ affected QCA models provided by Qualcomm. If you're unsure, contact your device manufacturer or Qualcomm support with your device model number.

Can this vulnerability be exploited remotely?

No. The attack vector is strictly physical (AV:P) and requires high-privilege access to the device itself. Remote exploitation is not possible. However, in scenarios where an attacker can obtain temporary physical access to a device or gain a high-privilege account, the vulnerability becomes actionable.

Will this appear in my network or endpoint detection systems?

Detection is primarily a firmware and chipset-level concern. Standard network intrusion detection systems will not see this activity. Endpoint agents may observe anomalies such as unexpected device crashes or firmware state changes, but robust detection requires chipset-level monitoring or firmware integrity tools. Focus detection efforts on systems with enhanced firmware monitoring capabilities.

This analysis is based on publicly available information as of the CVE publication date. CVSS scores, affected product lists, and vulnerability classifications are provided by authoritative sources (NVD, Qualcomm security advisories) and should be independently verified. Patch version numbers and remediation timelines must be confirmed against official vendor advisories before deployment. This assessment does not constitute a guarantee of vulnerability presence, exploitability, or patch efficacy in any specific environment. Organizations should conduct their own threat modeling and validation before prioritizing remediation efforts. No public exploit code is referenced or provided in this analysis. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).