How is CVE-2026-25276 exploited?

Network reachability (not-required): The attacker needs an existing shell or process on the host; no network access is required to reach the vulnerable Strongbox interface. Authentication (required): Any low-privilege local account or process is sufficient to trigger the missing bounds check; no elevated or admin credentials are needed. Victim interaction (not-required): No user action or social-engineering step is needed; the attacker can invoke the vulnerable code path directly. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and requires no specific race condition, memory layout arrangement, or other environmental prerequisite.

What is the impact of CVE-2026-25276?

Reads protected cryptographic keys and secrets stored inside the Strongbox trusted execution environment. Writes arbitrary data into secure memory regions, allowing tampering with integrity-protected storage and attestation records. Crashes or destabilizes the Strongbox secure processor, disrupting hardware-backed key operations and breaking dependent security features on the device. Because the CVSS scope token is Changed (S:C), impact extends beyond the vulnerable component and can affect other system components that rely on Strongbox for trust anchoring.

Back to search

HIGHCVE-2026-25276Published 2026-06-01Modified 2026-06-03CNA qualcomm

CVE-2026-25276: Improper Validation of Array Index in Secure Processor

Memory corruption while using Strongbox due to missing bounds check.

CVSS v3.1: 8.8
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

An improper array index validation vulnerability (missing bounds check) in the Qualcomm Snapdragon Secure Processor (Strongbox) allows memory corruption from a local context. The flaw is reachable by a low-privilege local process with no user interaction required, as indicated by the CVSS vector (AV:L/PR:L/UI:N). Successful exploitation gives an attacker full read, write, and availability impact across the security boundary, including the Strongbox trusted execution environment. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment Qualcomm publishes a fix.

HarborGuard Coverage

Detection

Detection for CVE-2026-25276 is available across every HarborGuard environment: the CVE is ingested from upstream feeds (including Qualcomm's advisory and NVD) within minutes of publication and matched against images in customer registries, CI/CD pipelines, and custom-built images that include affected Snapdragon firmware or related userspace components.

Available

Triage

HarborGuard triage capability scores this finding at CVSS 8.8 HIGH and weights it against each customer environment's compliance policy, factoring in scope-changed impact before routing the alert to the appropriate team inbox within the customer organization.

Available

Patch

Because no fix version has been published by Qualcomm, HarborGuard re-evaluates this advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment upstream ships a remediated release. Customers with auto-remediation enabled will receive the rebuild, a regression-test run, and a PR opened against affected workloads without needing to take manual action at that time.

Pending upstream

Exploit Conditions

Network reachabilityNot required
The attacker needs an existing shell or process on the host; no network access is required to reach the vulnerable Strongbox interface.
AuthenticationRequired
Any low-privilege local account or process is sufficient to trigger the missing bounds check; no elevated or admin credentials are needed.
Victim interactionNot required
No user action or social-engineering step is needed; the attacker can invoke the vulnerable code path directly.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no specific race condition, memory layout arrangement, or other environmental prerequisite.

Blast Radius

Reads protected cryptographic keys and secrets stored inside the Strongbox trusted execution environment.
Writes arbitrary data into secure memory regions, allowing tampering with integrity-protected storage and attestation records.
Crashes or destabilizes the Strongbox secure processor, disrupting hardware-backed key operations and breaking dependent security features on the device.
Because the CVSS scope token is Changed (S:C), impact extends beyond the vulnerable component and can affect other system components that rely on Strongbox for trust anchoring.

How HarborGuard Handles This

Available on HarborGuard: this CVE is flagged immediately on ingestion for any customer image that includes affected Qualcomm Snapdragon firmware packages or associated userspace libraries. Because Qualcomm has not yet published a remediated release, no patched-image rebuild is available yet. HarborGuard monitors the advisory on every ingest cycle and will surface a rebuild automatically once upstream ships a fix; for customers with auto-remediation enabled, that will trigger a rebuild, regression run, and PR against affected workloads with no manual intervention required. In the interim, compensating controls worth evaluating include network-policy isolation to limit what processes can invoke Strongbox-dependent APIs, restricting deployment of affected images to workloads where TEE access is strictly necessary, and using feature-flag gating to disable Strongbox-backed operations in environments where the risk exceeds tolerance.

See how HarborGuard automates this

Affected packages

Qualcomm, Inc. / Snapdragon
Snapdragon 8 Gen 2 Mobile Platform · Snapdragon 8+ Gen 2 Mobile Platform · Snapdragon 8 Gen 3 Mobile Platform · Snapdragon 8 Elite · Snapdragon 8 Elite Gen 5

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

References

docs.qualcomm.com

Metrics

Get notified