HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-25258Published Modified CNA qualcomm

CVE-2026-25258: Out-of-bounds Read in DSP Service

Memory corruption while processing IOCTL calls for escape operations.

Metrics

CVSS v3.1
7.8
Severity
HIGH
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

An out-of-bounds read vulnerability in the Qualcomm Snapdragon DSP service allows a local attacker with low-privilege access to corrupt memory through malformed IOCTL calls for escape operations. The attacker must already have a shell or process running on the affected device; no network access or user interaction is required. Successful exploitation gives the attacker full read, write, and execution control over the affected component, enabling data theft, data tampering, and potential code execution. No fix version has been published yet; HarborGuard tracks the Qualcomm advisory and will make a patched-image rebuild available the moment an upstream fix is released.

HarborGuard Coverage

Detection

Detection of CVE-2026-25258 is available across every HarborGuard environment, with ingestion from upstream advisory feeds (including Qualcomm's CNA feed) within minutes of publication and matching against all customer images, including custom-built images that layer Snapdragon firmware or DSP service components. Any image in a customer registry or CI pipeline containing an affected Snapdragon component (Cologne, FastConnect 6900, FastConnect 7800, QCA0000) is flagged automatically.

Available
Triage

Triage is available using the CVSS v3.1 score of 7.8 (HIGH), with per-environment compliance policy weighting applied so that images flagged as production-critical are routed to the appropriate team inbox inside each customer organization. Customers with custom severity thresholds or policy overrides see this CVE ranked according to their configured rules.

Available
Patch

Because no upstream fix version has been published, HarborGuard re-checks the Qualcomm advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment a fix is released. In the meantime, customers can apply compensating controls such as network-policy isolation and process-level sandboxing through HarborGuard's policy recommendations for unpatched HIGH-severity issues.

Pending upstream

Exploit Conditions

  • Network reachabilityNot required

    The attacker needs an existing shell or process on the host; no network path to the target is required.

  • AuthenticationRequired

    Any low-privilege local account is sufficient; the attacker does not need administrator or root credentials to trigger the vulnerable IOCTL path.

  • Victim interactionNot required

    No victim action is needed; the attacker can trigger the vulnerable IOCTL calls entirely from their own process.

  • Attack complexityDetail

    Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other environmental factors.

Blast Radius

  • A successful attacker reads arbitrary memory from the DSP service process, exposing sensitive data such as cryptographic keys or session state held in that process.
  • The attacker writes to memory outside the intended buffer, corrupting data structures and potentially overwriting security-relevant state in the DSP service.
  • Full confidentiality, integrity, and availability impact is confirmed by the CVSS tokens (C:H/I:H/A:H), meaning the attacker can crash the DSP service entirely in addition to reading and modifying its data.
  • Privilege escalation within the DSP service context is feasible given arbitrary memory write capability, potentially affecting other processes sharing that memory region.

How HarborGuard Handles This

Available on HarborGuard: continuous advisory monitoring for CVE-2026-25258 is active, with the Qualcomm CNA feed re-checked on every ingest cycle. Because no patch exists yet, the platform flags all images containing affected Snapdragon components (Cologne, FastConnect 6900, FastConnect 7800, QCA0000) and surfaces compensating-control guidance, including restricting IOCTL access through seccomp or AppArmor profiles and isolating affected workloads via Kubernetes network policy to limit lateral movement if the DSP service is compromised. The moment Qualcomm publishes a fix version, HarborGuard will make a patched-image rebuild available; for customers who opt into auto-remediation, that rebuild triggers a regression-test run and a PR opened against affected workloads automatically, with a median time from patch publication to merged PR of around 90 minutes for HIGH-severity issues in environments with auto-remediation enabled.

See how HarborGuard automates this
Affected packages
  • Qualcomm, Inc. / Snapdragon
    Cologne · FastConnect 6900 · FastConnect 7800 · QCA0000 · SC8380XP · WCD9378C
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
References