How is CVE-2026-24088 exploited?

Network reachability (not-required): The attacker needs an existing shell or process on the host; no network access to the target is required. Authentication (required): A high-privilege (admin-level) account on the target system is needed to reach the vulnerable boot partition processing function. Victim interaction (not-required): No user interaction is required; the attacker can trigger the vulnerability without involving any other party. Attack complexity (info): Exploitation is reliable and condition-free once the attacker holds the required privilege level; no race conditions or special environmental factors apply.

What is the impact of CVE-2026-24088?

Reads all data stored on the device, including credentials, keys, and application data, because a compromised bootloader runs before OS-level protections are established. Writes arbitrary code into the bootloader, enabling persistent implants that survive factory resets and OS reinstallation. Crashes or permanently disables the device by corrupting the boot partition beyond recovery. Bypasses code-signing and secure-boot guarantees for every subsequent OS and firmware component loaded after the tampered bootloader.

Back to search

HIGHCVE-2026-24088Published 2026-06-01Modified 2026-06-03CNA qualcomm

CVE-2026-24088: Missing Authentication for Critical Function in Boot

Cryptographic Issue while processing a specific partition which allows unauthorized write access to load a customized bootloader.

CVSS v3.1: 8.2
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

A cryptographic verification failure in Qualcomm Snapdragon's boot partition processing allows an attacker with local privileged access to bypass integrity checks and write a customized bootloader to the device. The vulnerability is reachable locally and requires a high-privilege account, but does not require any user interaction. Successful exploitation grants full control over the boot chain, enabling persistent firmware-level compromise, disclosure of all data on the device, and the ability to tamper with or destroy stored data. HarborGuard is tracking this advisory for patch availability and will make a patched-image rebuild available as soon as Qualcomm publishes a fix.

HarborGuard Coverage

Detection

Detection capability for CVE-2026-24088 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against images in customer registries, CI/CD pipelines, and custom-built images that include Snapdragon firmware or related components.

Available

Triage

HarborGuard is capable of scoring this CVE at CVSS 8.2 (HIGH) and weighting the result against each customer environment's compliance policy to determine urgency. Findings are routed automatically to the appropriate team inbox within each customer organization based on configured ownership rules.

Available

Patch

No fix version has been published by Qualcomm for this CVE. HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment the upstream fix is released. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will be initiated automatically at that time.

Pending upstream

Exploit Conditions

Network reachabilityNot required
The attacker needs an existing shell or process on the host; no network access to the target is required.
AuthenticationRequired
A high-privilege (admin-level) account on the target system is needed to reach the vulnerable boot partition processing function.
Victim interactionNot required
No user interaction is required; the attacker can trigger the vulnerability without involving any other party.
Attack complexityDetail
Exploitation is reliable and condition-free once the attacker holds the required privilege level; no race conditions or special environmental factors apply.

Blast Radius

Reads all data stored on the device, including credentials, keys, and application data, because a compromised bootloader runs before OS-level protections are established.
Writes arbitrary code into the bootloader, enabling persistent implants that survive factory resets and OS reinstallation.
Crashes or permanently disables the device by corrupting the boot partition beyond recovery.
Bypasses code-signing and secure-boot guarantees for every subsequent OS and firmware component loaded after the tampered bootloader.

How HarborGuard Handles This

Available on HarborGuard: this CVE is actively monitored on every ingest cycle because no upstream fix currently exists. In the meantime, customers can apply compensating controls surfaced through HarborGuard policy rules, including restricting privileged local access to hosts running affected Snapdragon components, enforcing network-policy isolation to limit lateral movement from a compromised host, and flagging any image containing affected firmware components for mandatory manual review before deployment. As soon as Qualcomm publishes a fix version, HarborGuard will make a patched-image rebuild available; for customers with auto-remediation enabled, the rebuild, regression test run, and a PR opened against affected workloads will be triggered automatically, targeting a median time from patch publication to merged PR of around 90 minutes for HIGH-severity issues.

See how HarborGuard automates this

Affected packages

Qualcomm, Inc. / Snapdragon
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

References

docs.qualcomm.com

Metrics

Get notified