CVE-2026-24090: Missing Authentication for Critical Function in HLOS
Cryptographic issue while processing partition table entries allows unauthorized modification of boot flow.
Metrics
- CVSS v3.1
- 7.1
- Severity
- HIGH
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
A missing-authentication vulnerability in the Qualcomm Snapdragon HLOS partition table processing component allows a local attacker with low privileges to tamper with the boot flow. The attacker needs only an existing low-privilege account on the host; no network access or victim interaction is required. Successful exploitation enables unauthorized modification of the device boot flow and full read access to sensitive on-device data. No upstream fix has been published yet; HarborGuard tracks this advisory and will surface a patched-image rebuild as soon as Qualcomm releases one.
HarborGuard Coverage
Detection of CVE-2026-24090 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream advisory feeds, including custom-built images that package affected Snapdragon firmware or HLOS components.
AvailableTriage is available with a CVSS 7.1 HIGH severity score applied automatically, weighted against each customer organization's per-environment compliance policy, and routed to the appropriate team inbox based on configured ownership rules.
AvailableBecause no fix version has been published by Qualcomm, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is released. In the interim, affected images are flagged continuously so security teams can apply compensating controls.
Pending upstreamExploit Conditions
- Network reachabilityNot required
The attacker needs an existing shell or process on the host; no network access is required to reach the vulnerable code path.
- AuthenticationRequired
Any low-privilege account on the host is sufficient; no elevated or administrative credentials are needed.
- Victim interactionNot required
No user interaction of any kind is required; the attacker can trigger the vulnerability entirely on their own.
- Attack complexityDetail
The exploit is reliable and condition-free, with no race conditions or special environmental factors required.
Blast Radius
- Reads sensitive on-device data, including data protected by partition-level access controls.
- Modifies partition table entries to redirect or corrupt the device boot flow.
- Persists unauthorized changes across reboots by altering the boot sequence before the OS loads.
- Potentially undermines secure boot guarantees, allowing unsigned or tampered firmware to execute.
How HarborGuard Handles This
Available on HarborGuard: CVE-2026-24090 is actively tracked against every image in customer registries and CI pipelines, with a HIGH severity flag applied on match. Because Qualcomm has not yet published a fix, no patched-image rebuild is available at this time. HarborGuard re-evaluates the advisory on every ingest cycle and will trigger a rebuild automatically once an upstream fix is released. For customers who opt into auto-remediation, that rebuild will be followed by a regression-test run and a PR opened against affected workloads. In the interim, compensating controls worth evaluating include network-policy isolation of hosts running affected Snapdragon components, restricting low-privilege account access to partition management interfaces, and applying any available platform-level secure boot enforcement policies.
- Qualcomm, Inc. / SnapdragonXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N