SB2026030301 - Multiple vulnerabilities in Qualcomm chipsets (March 2026)
Published: March 3, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 15 secuirty vulnerabilities.
1) Missing Required Cryptographic Step (CVE-ID: CVE-2025-47383)
The vulnerability allows a remote privileged application to execute arbitrary code.
The vulnerability exists due to improper input validation in Data Modem. A remote privileged application can execute arbitrary code.
2) Buffer over-read (CVE-ID: CVE-2025-59600)
The vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation in Graphics. A local application can execute arbitrary code.
3) Out-of-bounds write (CVE-ID: CVE-2025-59603)
The vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation in Computer Vision. A local application can execute arbitrary code.
4) Improper Access Control for Register Interface (CVE-ID: CVE-2025-47385)
The vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation in SCE-Mink. A local application can execute arbitrary code.
5) Exposure of Sensitive System Information to an Unauthorized Control Sphere (CVE-ID: CVE-2025-47378)
The vulnerability allows a local application to read and manipulate data.
The vulnerability exists due to improper input validation in HLOS. A local application can read and manipulate data.
6) Out-of-bounds write (CVE-ID: CVE-2025-47373)
The vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation in Automotive. A local application can execute arbitrary code.
7) Use After Free (CVE-ID: CVE-2025-47379)
The vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation in Automotive Audio. A local application can execute arbitrary code.
8) Reachable Assertion (CVE-ID: CVE-2025-47384)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation in FW. A remote attacker can perform a denial of service (DoS) attack.
9) Use After Free (CVE-ID: CVE-2025-47386)
The vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation in Automotive Audio. A local application can execute arbitrary code.
10) Use After Free (CVE-ID: CVE-2025-47381)
The vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation in Automotive Audio. A local application can execute arbitrary code.
11) Use After Free (CVE-ID: CVE-2025-47377)
The vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation in Automotive Audio. A local application can execute arbitrary code.
12) Use After Free (CVE-ID: CVE-2025-47376)
The vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation in Automotive Audio. A local application can execute arbitrary code.
13) Use After Free (CVE-ID: CVE-2025-47375)
The vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation in Automotive Audio. A local application can execute arbitrary code.
14) Reachable Assertion (CVE-ID: CVE-2025-47371)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation in Modem. A remote attacker can perform a denial of service (DoS) attack.
15) Integer overflow (CVE-ID: CVE-2026-21385)
The vulnerability allows a malicious application to escalate privileges on the system.
The vulnerability exists due to improper input validation in Graphics. A local application can execute arbitrary code with elevated privileges.
Note, the vulnerability is being actively exploited in the wild.
Remediation
Install update from vendor's website.