CVE-2026-24090: Qualcomm Partition Table Cryptographic Flaw Enables Boot Modification
A cryptographic weakness in how Qualcomm processors handle partition table entries during boot allows a local attacker with standard user privileges to modify the boot process without authorization. This could enable an attacker to alter how a device loads its operating system or firmware, potentially leading to installation of malicious code or bypass of security controls. The vulnerability requires direct access to the device and cannot be exploited remotely.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.1 HIGH · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
- Weaknesses (CWE)
- CWE-306
- Affected products
- 434 configuration(s)
- Published / Modified
- 2026-06-01 / 2026-06-17
NVD description (verbatim)
Cryptographic issue while processing partition table entries allows unauthorized modification of boot flow.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-24090 stems from inadequate cryptographic verification (CWE-306: Missing Authentication for Critical Function) of partition table entries across a wide range of Qualcomm mobile and audio platforms. During boot sequence processing, the firmware fails to properly authenticate partition table modifications, allowing a local attacker with user-level privileges to tamper with partition metadata. The CVSS 3.1 score of 7.1 (HIGH) reflects high impact on confidentiality and integrity of the boot flow, limited by local attack vector and user-level access requirement. The vulnerability affects both the base platforms and their corresponding firmware packages.
Business impact
Devices running affected Qualcomm processors become vulnerable to unauthorized boot-flow modification. An attacker with physical or local access could persist malicious code at the firmware level, potentially evading detection by operating system-based security tools. For organizations deploying smartphones, tablets, or IoT devices on these platforms, this creates a pathway for sophisticated compromise that survives software updates and factory resets. Supply chain and managed device scenarios present elevated risk, as compromised devices could be distributed or remotely managed by adversaries post-compromise.
Affected systems
The vulnerability affects a broad portfolio of Qualcomm platforms spanning mobile (Snapdragon 460, 4 Gen 1/2), premium flagship (SM8845P, SM8750P, SM8650Q), mid-range (SM7675, SM7550, SM7525, SM7435, SM6850), and audio processors (Smart Audio 400). Both the base silicon platforms and their associated firmware packages are affected. Organizations should inventory devices and products based on these specific Qualcomm models to determine exposure scope.
Exploitability
Exploitation requires local access and user-level privileges on the target device—an attacker cannot exploit this remotely. However, the local requirement is a relatively low bar: a malicious application, supply-chain compromise, or physical device access enables attack. Once achieved, no additional user interaction or elevated privileges are needed to modify partition tables and alter boot behavior. Organizations relying on physical security or application sandboxing as primary mitigations should recognize this threat model.
Remediation
Patch availability and timelines depend on individual device manufacturers and Qualcomm's firmware release schedule. Affected parties should contact their Qualcomm representative or check device manufacturer security advisories for firmware updates addressing partition table authentication. Interim mitigations include restricting user-level access to trusted applications and enforcing device management policies that limit local code execution. Organizations should prioritize patching based on device criticality and deployment context (e.g., managed fleet vs. consumer devices).
Patch guidance
Monitor Qualcomm security bulletins and your device manufacturer's advisory channels for firmware patches specific to your platform (e.g., SM8845P, Snapdragon 460, Smart Audio 400). Patch deployment typically requires device restart and may necessitate coordination with fleet management systems for enterprise deployments. Verify against the vendor advisory that patches address partition table cryptographic authentication before rolling out. Test patches in a non-production environment first, particularly for audio and IoT devices where unexpected behavior could impact services.
Detection guidance
Detection requires firmware-level monitoring or forensic analysis post-compromise, as partition table modifications occur before the OS boots. Organizations should implement: (1) secure boot validation checks if available on the device platform, (2) periodic integrity verification of partition metadata in enterprise device management tools, and (3) monitoring for abnormal boot-time behavior or unexpected firmware changes. Host-based detection on the operating system layer is limited; endpoint security tools should focus on detecting suspicious post-boot activity consistent with firmware-level compromise.
Why prioritize this
This vulnerability merits prioritization because it enables persistence below the OS layer and affects a vast installed base of Qualcomm devices. The local+user-level attack vector is achievable via malicious apps, supply-chain routes, or physical access—realistic threat scenarios for many organizations. Unlike OS-level vulnerabilities, firmware-level compromise evades standard patching workflows and security tools, making remediation harder and impact longer-lasting. However, exploitation is not trivial and requires some form of local foothold, so immediate patching of all devices may be sequenced behind other immediate threats.
Risk score, explained
The CVSS 3.1 score of 7.1 reflects HIGH severity: high impact on boot integrity and confidentiality (both I and C flags set), but limited by the local attack vector and requirement for user-level privileges. The score appropriately captures that compromise is serious and difficult to detect, but not as severe as a remote vulnerability. For organizations with rigorous physical security and restricted app deployment policies, risk can be lowered through compensating controls; for BYOD or less-controlled environments, the effective risk is higher.
Frequently asked questions
Will patching an affected device require a factory reset or data loss?
Firmware patches typically require a device restart but should not cause data loss. However, always back up critical data before applying firmware updates. Test patches on non-critical devices first to confirm your device manufacturer's specific behavior.
Can this vulnerability be exploited by a remote attacker or malware downloaded from the internet?
No. Exploitation requires local access and user-level code execution on the device. However, a remotely-delivered malicious application could serve as the local attack vector, so the practical threat boundary is broader than 'local only' might suggest.
If a device is already compromised at the firmware level via this CVE, can I clean it with a software factory reset?
A factory reset that re-flashes the firmware from secure sources could remove the compromise. However, if an attacker has modified partition tables, they may have persistently altered how the device boots before the OS loads. Refer to your device manufacturer's guidance on secure recovery procedures for your specific platform.
How do I know which devices I own are affected?
Cross-reference your device's Qualcomm processor model (e.g., Snapdragon 460, SM8845P) against the affected platforms list. Device settings often list the SoC; manufacturer security pages usually provide model-to-CVE mappings. Contact your device manufacturer or Qualcomm if model identification is unclear.
This analysis is based on publicly available vulnerability metadata as of the publication date. Patch availability, timelines, and affected device models may vary by manufacturer. Organizations should verify exposure against their specific device inventory and consult vendor advisories before deploying patches. SEC.co makes no warranty regarding the completeness or accuracy of downstream vendor information. Always test patches in non-production environments. For immediate questions about your organization's exposure, contact your device manufacturer or Qualcomm support directly. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-24088HIGHQualcomm Bootloader Cryptographic Verification Flaw (CVSS 8.2)
- CVE-2026-10243HIGHSmart Parking System 1.0 Authentication Bypass – Remote Admin Access
- CVE-2026-10281HIGHEnderfga claw-orchestrator Authentication Bypass – Patch Available
- CVE-2026-10617HIGHGoClaw Webhook Authentication Bypass – Remote Exploitation
- CVE-2026-36603HIGHMercusys AC12G Unauthenticated UPnP Port Forwarding Vulnerability
- CVE-2026-10283MEDIUMBottelet DaybydayCRM Authentication Bypass in Settings Handler
- CVE-2026-25599MEDIUMOrca Heat Pump Unauthenticated HTTP and Stored XSS Vulnerability
- CVE-2025-59604HIGHQualcomm Snapdragon Memory Corruption Vulnerability – HIGH Severity