How is CVE-2026-25277 exploited?

Network reachability (not-required): The attacker needs an existing shell or process on the host; no network path to the target is required. Authentication (required): Any low-privilege local account is sufficient to trigger the vulnerability; no elevated or administrative credentials are needed. Victim interaction (not-required): No action from another user or process on the system is necessary to trigger the overflow. Attack complexity (info): The exploit is reliable and condition-free; no race conditions, specific memory layouts, or other environmental factors need to align for the attack to succeed.

What is the impact of CVE-2026-25277?

Reads secrets and cryptographic key material stored inside the Strongbox secure environment, bypassing the hardware trust boundary intended to protect them. Modifies data and code within the secure processor's memory space, allowing an attacker to tamper with security-critical operations such as key attestation or trusted application execution. Crashes or disrupts the Strongbox secure enclave, making hardware-backed key storage and related security services unavailable to the host. Because the CVSS scope is changed, impact extends beyond the originating process and can affect other isolated components sharing the Snapdragon security architecture.

Back to search

HIGHCVE-2026-25277Published 2026-06-01Modified 2026-06-03CNA qualcomm

CVE-2026-25277: Buffer Copy Without Checking Size of Input in Secure Processor

Memory corruption while using Strongbox due to buffer overflow.

CVSS v3.1: 8.8
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

A stack-based buffer overflow in Qualcomm's Strongbox secure processor implementation affects Snapdragon 8 Gen 2, 8+ Gen 2, 8 Gen 3, and 8 Elite mobile platforms. An attacker with a low-privilege account on the host can trigger memory corruption locally, with no user interaction required. Successful exploitation gives the attacker full read, write, and availability impact across a changed security scope, meaning it can break out of the Strongbox trust boundary and affect resources the attacker does not normally control. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment Qualcomm publishes a fix.

HarborGuard Coverage

Detection

Detection capability for CVE-2026-25277 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of publication from upstream feeds. This coverage extends to custom-built images that include affected Qualcomm Snapdragon firmware or drivers, not only images pulled from public registries.

Available

Triage

HarborGuard is capable of scoring this CVE at 8.8 HIGH (CVSS v3.1) and weighting it against each customer environment's compliance policy to reflect actual exposure. Triage findings are routable to the appropriate team inbox within each customer organization based on configured ownership rules.

Available

Patch

Because no fix version has been published by Qualcomm, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is released. Customers with auto-remediation enabled will receive the rebuild, a regression-test run, and a pull request opened against affected workloads without manual intervention.

Pending upstream

Exploit Conditions

Network reachabilityNot required
The attacker needs an existing shell or process on the host; no network path to the target is required.
AuthenticationRequired
Any low-privilege local account is sufficient to trigger the vulnerability; no elevated or administrative credentials are needed.
Victim interactionNot required
No action from another user or process on the system is necessary to trigger the overflow.
Attack complexityDetail
The exploit is reliable and condition-free; no race conditions, specific memory layouts, or other environmental factors need to align for the attack to succeed.

Blast Radius

Reads secrets and cryptographic key material stored inside the Strongbox secure environment, bypassing the hardware trust boundary intended to protect them.
Modifies data and code within the secure processor's memory space, allowing an attacker to tamper with security-critical operations such as key attestation or trusted application execution.
Crashes or disrupts the Strongbox secure enclave, making hardware-backed key storage and related security services unavailable to the host.
Because the CVSS scope is changed, impact extends beyond the originating process and can affect other isolated components sharing the Snapdragon security architecture.

How HarborGuard Handles This

Available on HarborGuard: because Qualcomm has not yet published a fix for CVE-2026-25277, the platform monitors the advisory on every ingest cycle and will trigger a patched-image rebuild automatically when an upstream fix is released. For customers with auto-remediation enabled, that rebuild will be followed by a regression-test run and a pull request opened against affected workloads. While no patch is available, compensating controls worth evaluating include network-policy isolation to restrict lateral movement from any compromised host, egress filtering to limit what a post-exploitation process can reach, and auditing or disabling workloads that rely on Strongbox-backed operations on affected Snapdragon platforms where the risk is unacceptable. HarborGuard will surface the patched rebuild and initiate the auto-remediation flow the moment Qualcomm publishes a fix version.

See how HarborGuard automates this

Affected packages

Qualcomm, Inc. / Snapdragon
Snapdragon 8 Gen 2 Mobile Platform · Snapdragon 8+ Gen 2 Mobile Platform · Snapdragon 8 Gen 3 Mobile Platform · Snapdragon 8 Elite · Snapdragon 8 Elite Gen 5

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

References

docs.qualcomm.com

Metrics

Get notified