Primary

Context

Qualcomm Snapdragon Products Use-After-Free Vulnerability in Neural Processing Unit

Vulnerability

A use-after-free vulnerability has been identified in various chipsets of Qualcomm Snapdragon products. This vulnerability leads to memory corruption when the IOCTL interface is used to simultaneously map and unmap buffers. The issue arises from improper handling of buffer management, allowing for potential exploitation through crafted IOCTL commands.

Impact

Exploitation of this vulnerability causes memory corruption, which can lead to arbitrary code execution or the introduction of a denial-of-service condition.

Reproduction

The vulnerability can be reproduced by sending IOCTL commands that map and unmap buffers at the same time. This can be done through a custom application or script that interacts with the affected device's NPU via the IOCTL interface, specifically targeting chipsets that are known to be vulnerable.

Remediation

Qualcomm has released patches for this vulnerability. Instructions for applying the patch can be found in the Qualcomm August 2025 Security Bulletin.

Added: Aug 6, 2025, 11:06 AM

Updated: Aug 6, 2025, 11:06 AM

Affected Products

Qualcomm FastConnect 6800

Moderate fix1 remedy

cpe:2.3:h:qualcomm:fastconnect_6800:*:*:*:*:*:*:*, +1 more

Moderate fix1 remedy

Qualcomm FastConnect 6900

Moderate fix1 remedy

cpe:2.3:h:qualcomm:fastconnect_6900:*:*:*:*:*:*:*, +1 more

Moderate fix1 remedy

Qualcomm FastConnect 7800

Moderate fix1 remedy

cpe:2.3:h:qualcomm:fastconnect_7800:*:*:*:*:*:*:*, +1 more

Moderate fix1 remedy

Qualcomm QCA6391

Moderate fix1 remedy

cpe:2.3:h:qualcomm:qca6391:*:*:*:*:*:*:*, +1 more

Moderate fix1 remedy

Qualcomm QCA6426

Moderate fix1 remedy

cpe:2.3:h:qualcomm:qca6426:*:*:*:*:*:*:*, +1 more

Moderate fix1 remedy

Qualcomm QCA6436

Moderate fix1 remedy

cpe:2.3:h:qualcomm:qca6436:*:*:*:*:*:*:*, +1 more

Moderate fix1 remedy

Qualcomm QSM8250

Moderate fix1 remedy

cpe:2.3:h:qualcomm:qsm8250:*:*:*:*:*:*:*, +1 more

Moderate fix1 remedy

Qualcomm SD865 5G

Moderate fix1 remedy

cpe:2.3:h:qualcomm:sd865_5g:*:*:*:*:*:*:*, +1 more

Moderate fix1 remedy

Qualcomm SDM429W

Moderate fix1 remedy

cpe:2.3:h:qualcomm:sdm429w:*:*:*:*:*:*:*, +1 more

Moderate fix1 remedy

Qualcomm SDX55

Moderate fix1 remedy

cpe:2.3:h:qualcomm:sdx55:*:*:*:*:*:*:*, +1 more

Moderate fix1 remedy

Qualcomm Snapdragon 429 Mobile Platform

Moderate fix1 remedy

cpe:2.3:h:qualcomm:snapdragon_429_mobile_platform:*:*:*:*:*:*:*, +1 more

Moderate fix1 remedy

Qualcomm Snapdragon 8 Gen 1 Mobile Platform

Moderate fix1 remedy

cpe:2.3:h:qualcomm:snapdragon_8_gen_1_mobile_platform:*:*:*:*:*:*:*, +1 more

Moderate fix1 remedy

Qualcomm Snapdragon 865 5G Mobile Platform

Moderate fix1 remedy

cpe:2.3:h:qualcomm:snapdragon_865_5g_mobile_platform:*:*:*:*:*:*:*, +1 more

Moderate fix1 remedy

Qualcomm Snapdragon 865+ 5G Mobile Platform

Moderate fix1 remedy

cpe:2.3:h:qualcomm:snapdragon_865+_5g_mobile_platform:*:*:*:*:*:*:*, +1 more

Moderate fix1 remedy

Qualcomm Snapdragon 870 5G Mobile Platform

Moderate fix1 remedy

cpe:2.3:h:qualcomm:snapdragon_870_5g_mobile_platform:*:*:*:*:*:*:*, +2 more

Moderate fix1 remedy

Qualcomm Snapdragon W5+ Gen 1 Wearable Platform

Moderate fix1 remedy

cpe:2.3:h:qualcomm:snapdragon_w5+_gen_1_wearable_platform:*:*:*:*:*:*:*, +1 more

Moderate fix1 remedy

Qualcomm Snapdragon X55 5G Modem-RF System

Moderate fix1 remedy

cpe:2.3:h:qualcomm:snapdragon_x55_5g_modem-rf_system:*:*:*:*:*:*:*, +1 more

Moderate fix1 remedy

Qualcomm Snapdragon XR2 5G Platform

Moderate fix1 remedy

cpe:2.3:h:qualcomm:snapdragon_xr2_5g_platform:*:*:*:*:*:*:*, +1 more

Moderate fix1 remedy

Qualcomm SW5100

Moderate fix1 remedy

cpe:2.3:h:qualcomm:sw5100:*:*:*:*:*:*:*, +1 more

Moderate fix1 remedy

Qualcomm SW5100P

Moderate fix1 remedy

cpe:2.3:h:qualcomm:sw5100p:*:*:*:*:*:*:*, +1 more

Moderate fix1 remedy

Qualcomm SXR2130

Moderate fix1 remedy

cpe:2.3:h:qualcomm:sxr2130:*:*:*:*:*:*:*, +1 more

Moderate fix1 remedy

Qualcomm SXR2230P

Moderate fix1 remedy

cpe:2.3:h:qualcomm:sxr2230p:*:*:*:*:*:*:*, +1 more

Moderate fix1 remedy

Qualcomm SXR2250P

Moderate fix1 remedy

cpe:2.3:h:qualcomm:sxr2250p:*:*:*:*:*:*:*, +1 more

Moderate fix1 remedy

Qualcomm WCD9380

Moderate fix1 remedy

cpe:2.3:h:qualcomm:wcd9380:*:*:*:*:*:*:*, +1 more

Moderate fix1 remedy

Qualcomm WCD9385

Moderate fix1 remedy

cpe:2.3:h:qualcomm:wcd9385:*:*:*:*:*:*:*, +1 more

Moderate fix1 remedy

Qualcomm WCN3620

Moderate fix1 remedy

cpe:2.3:h:qualcomm:wcn3620:*:*:*:*:*:*:*, +1 more

Moderate fix1 remedy

Qualcomm WCN3660B

Moderate fix1 remedy

cpe:2.3:h:qualcomm:wcn3660:*:*:*:*:*:*:*, +4 more

Moderate fix1 remedy

Qualcomm WCN3980

Moderate fix1 remedy

cpe:2.3:o:qualcomm:wcn3980_firmware:*:*:*:*:*:*:*

Moderate fix1 remedy

Qualcomm WCN3988

Moderate fix1 remedy

cpe:2.3:o:qualcomm:wcn3988_firmware:*:*:*:*:*:*:*

Moderate fix1 remedy

Qualcomm WSA8810

Moderate fix1 remedy

cpe:2.3:h:qualcomm:wsa8810:*:*:*:*:*:*:*, +1 more

Moderate fix1 remedy

Qualcomm WSA8815

Moderate fix1 remedy

cpe:2.3:h:qualcomm:wsa8815:*:*:*:*:*:*:*, +1 more

Moderate fix1 remedy

Qualcomm WSA8830

Moderate fix1 remedy

cpe:2.3:h:qualcomm:wsa8830:*:*:*:*:*:*:*, +1 more

Moderate fix1 remedy

Qualcomm WSA8832

Moderate fix1 remedy

cpe:2.3:h:qualcomm:wsa8832:*:*:*:*:*:*:*, +1 more

Moderate fix1 remedy

Qualcomm WSA8835

Moderate fix1 remedy

cpe:2.3:h:qualcomm:wsa8835:*:*:*:*:*:*:*, +1 more

Moderate fix1 remedy

Vulnerability Rating

Custom Algorithm

spread

8.1

impact

2.5

exploitability

3.4

remediation

7.7

relevance

0.3

threat

1.6

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

8.1

impact

2.5

exploitability

3.4

remediation

7.7

relevance

0.3

threat

1.6

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.