A number of crucial vulnerabilities in Qualcomm Applied sciences’ proprietary Information Community Stack and Multi-Mode Name Processor that let distant attackers to execute arbitrary code.
These flaws, tracked as CVE-2025-21483 and CVE-2025-27034, every carry a CVSS rating of 9.8 and exploit buffer-corruption weaknesses to compromise gadget safety.
Key Takeaways1. CVE-2025-21483 & CVE-2025-27034 enable distant RCE.2. Impacts Snapdragon 8 Gen1/Gen2, FastConnect, X55, IoT/automotive chips.3. Patch now and filter RTP/PLMN site visitors.
CVE-2025-21483: Distant Heap Buffer Overflow
Essentially the most extreme problem, CVE-2025-21483, resides in Qualcomm’s Actual-time Transport Protocol (RTP) packet reassembly throughout the Information Community Stack & Connectivity module.
An attacker can ship a malicious RTP packet that triggers a heap-based buffer overflow (CWE-119) by overrunning the NALU reassembly buffer.
With a distant entry vector and no consumer interplay required, this vulnerability allows full management over affected chipsets, together with Snapdragon 8 Gen1, Snapdragon 8 Gen2, FastConnect 7800, and dozens extra.
As soon as exploited, arbitrary code execution on the kernel stage can happen, compromising information confidentiality, integrity, and availability.
CVE-2025-27034: Improper Array Index Validation Flaw
Equally crucial is CVE-2025-27034, which stems from an improper validation of an array index (CWE-129) within the Multi-Mode Name Processor.
Attackers can craft a malformed Public Land Cell Community (PLMN) choice response that corrupts reminiscence throughout index parsing.
The flaw’s distant entry vector and lack of privilege necessities make it exploitable over the community.
Affected platforms embody the Snapdragon X55 5G Modem-RF System, Snapdragon 8 Gen1, QCM5430, and quite a few IoT and automotive modems. Profitable exploitation results in arbitrary code execution with escalated privileges.
CVETitleCVSS 3.1 ScoreSeverityCVE-2025-21483Improper Restriction of Operations throughout the Bounds of a Reminiscence Buffer in Information Community Stack & Connectivity9.8CriticalCVE-2025-27034Improper Validation of Array Index in Multi-Mode Name Processor9.8Critical
Mitigations
Qualcomm has issued patches for each vulnerabilities, distributing updates on to OEMs and urging speedy deployment.
The really helpful countermeasure is to combine the proprietary software program updates supplied within the September 2025 Safety Bulletin and confirm the presence of hardened bounds-checking routines.
System producers should guarantee well timed firmware upgrades to get rid of assault vectors in CVE-2025-21483’s RTP parser and CVE-2025-27034’s array index logic.
Safety researchers emphasize the need of monitoring CVSS strings and using community filtering as an interim safeguard.
Directors ought to block sudden RTP streams and PLMN choice site visitors till patched firmware is put in. Moreover, implementing strict SELinux insurance policies on Android platforms can additional constrain exploit makes an attempt.
Stakeholders are suggested to audit firmware variations, apply patches instantly, and preserve vigilant community monitoring to defend in opposition to these high-severity exploits.
Qualcomm clients and gadget end-users ought to contact their producers or go to Qualcomm’s assist portal for detailed patch directions and chipset protection particulars.
Discover this Story Attention-grabbing! Comply with us on Google Information, LinkedIn, and X to Get Extra Prompt Updates.
