How is CVE-2026-25260 exploited?

Network reachability (not-required): The attacker needs an existing shell or process on the host; no network path to the target is required. Authentication (required): Any low-privilege local account is sufficient to trigger the race condition; no administrative rights are needed. Victim interaction (not-required): No action from another user or administrator is required to exploit this vulnerability. Attack complexity (info): The exploit is rated low complexity, meaning it does not depend on specific memory layouts, race-window timing margins, or other unreliable environmental factors beyond the attacker's control.

What is the impact of CVE-2026-25260?

Reads arbitrary memory regions accessible to the DSP service, including buffers that may contain sensitive application data or credentials. Writes to shared memory buffers, allowing an attacker to tamper with data being processed by the DSP service or higher-privilege components that consume its output. Crashes the DSP service, disrupting audio, sensor, and compute offload functionality that depends on it. Privilege escalation to a higher context is possible if corrupted memory overlaps with security-sensitive kernel or firmware data structures.

Back to search

HIGHCVE-2026-25260Published 2026-06-01Modified 2026-06-03CNA qualcomm

CVE-2026-25260: Time-of-check Time-of-use (TOCTOU) Race Condition in DSP Service

Memory Corruption when accessing shared buffers without validation of concurrent user-mode input modifications.

CVSS v3.1: 7.8
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

A time-of-check time-of-use (TOCTOU) race condition affects the Qualcomm Snapdragon DSP service across several chipsets including Cologne, FastConnect 6900, FastConnect 7800, and QCA0000. The vulnerability is reachable locally by a low-privilege attacker without any network access or victim interaction, exploiting a window where shared buffers are accessed before concurrent user-mode modifications are validated. Successful exploitation causes memory corruption that gives the attacker full read access, write access, and the ability to crash the affected service. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Detection

Detection for CVE-2026-25260 is available across every HarborGuard environment, with the CVE matched against images in customer registries and CI/CD pipelines within minutes of publication from upstream advisory feeds, including custom-built images that bundle Qualcomm Snapdragon userspace components.

Available

Triage

HarborGuard is capable of scoring this CVE at its published CVSS 3.1 rating of 7.8 (HIGH) and weighting that score against each environment's compliance policy to route findings to the appropriate team inbox within each customer organization.

Available

Patch

Because no upstream fix version has been published for this CVE, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment Qualcomm publishes a remediated version. In the meantime, customers with auto-remediation enabled can receive compensating-control guidance through HarborGuard's policy engine.

Pending upstream

Exploit Conditions

Network reachabilityNot required
The attacker needs an existing shell or process on the host; no network path to the target is required.
AuthenticationRequired
Any low-privilege local account is sufficient to trigger the race condition; no administrative rights are needed.
Victim interactionNot required
No action from another user or administrator is required to exploit this vulnerability.
Attack complexityDetail
The exploit is rated low complexity, meaning it does not depend on specific memory layouts, race-window timing margins, or other unreliable environmental factors beyond the attacker's control.

Blast Radius

Reads arbitrary memory regions accessible to the DSP service, including buffers that may contain sensitive application data or credentials.
Writes to shared memory buffers, allowing an attacker to tamper with data being processed by the DSP service or higher-privilege components that consume its output.
Crashes the DSP service, disrupting audio, sensor, and compute offload functionality that depends on it.
Privilege escalation to a higher context is possible if corrupted memory overlaps with security-sensitive kernel or firmware data structures.

How HarborGuard Handles This

Available on HarborGuard: detection for this CVE is active across customer environments now, matched against any image that includes affected Qualcomm Snapdragon userspace libraries. Because Qualcomm has not yet published a fix version, no patched-image rebuild is available at this time. HarborGuard re-evaluates the upstream advisory on every ingest cycle and will trigger rebuild availability and, for customers who opt into auto-remediation, a full rebuild plus regression-test run and a PR opened against affected workloads the moment a fix is published. While waiting for an upstream patch, compensating controls worth considering include applying strict Linux namespace and seccomp profiles to containers that use DSP-facing libraries, enforcing network-policy isolation to limit lateral movement if the host is compromised, and using feature-flag gating to disable non-essential DSP offload paths where the application permits it. Where compliance policy permits, HarborGuard can surface these compensating-control recommendations automatically as policy findings alongside the CVE finding.

See how HarborGuard automates this

Affected packages

Qualcomm, Inc. / Snapdragon
Cologne · FastConnect 6900 · FastConnect 7800 · QCA0000 · SC8380XP · WCD9378C

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

docs.qualcomm.com

Metrics

Get notified