Qualcomm Technologies released its December 2025 Security Bulletin on December 1, 2025, revealing multiple high-severity flaws in proprietary and open-source code, with CVE-2025-47372 standing out as a critical threat to secure boot processes in numerous chipsets.
This vulnerability enables memory corruption during boot by mishandling oversized ELF images without proper checks or authentication, earning a CVSS score of 9.0 (AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A: N).
Patches are now available to original equipment manufacturers (OEMs), who must deploy them urgently on affected devices, such as smartphones and automotive systems.
CVE-2025-47372 targets the boot subsystem, where the bootloader reads executable and linkable format (ELF) files standard firmware-loading binaries into fixed-size buffers without verifying their sizes.
An attacker crafts a corrupted ELF with inflated size metadata, triggering a classic buffer overflow (CWE-120) that overwrites adjacent structures and enables code execution in a privileged boot context.
Discovered internally, it requires local access but no privileges, and its scope change (S: C) amplifies impact across security boundaries.
The flaw affects 20+ chipsets, including QAM8255P, QAM8620P, SA8255P, SA8620P, and SRV1H/M /M/M variants used in Snapdragon platforms and servers.[query provided bulletin] A related open-source boot issue, CVE-2025-47382 (CVSS 7.8, CWE-863), causes similar corruption when loading invalid firmware lacking authorization checks; its patch appears in CodeLinaro EDK2 commits.[query bulletin]
| CVE ID | CVSS Score | Type | Affected Areas | Key Exploit Vector |
|---|---|---|---|---|
| CVE-2025-47372 | 9.0 (Critical) | Buffer Overflow (CWE-120) | Boot (Proprietary) | Oversized ELF read sans auth |
| CVE-2025-47382 | 7.8 (High) | Incorrect Auth (CWE-863) | Boot (Open Source) | Invalid firmware load |
Secure boot ensures only verified firmware chains from the bootloader to the OS, preventing rootkits; these flaws undermine that trust early, risking persistent malware or a full compromise before OS defenses activate.
While no active exploits have been confirmed, the boot-stage position mirrors past bootloader bypasses on Snapdragon chips, heightening the risk to billions of Android devices.
Qualcomm urges OEMs to patch released products immediately and notes chipset lists may expand; users should query vendors like Samsung for updates, as some December patches already address it.
The bulletin also covers other issues, such as HLOS info leaks (CVE-2025-47319) and audio overflows, totaling over 100 vendor fixes in Android’s bulletin. No researcher credits for CVE-2025-47372, unlike others.[query bulletin]
PortSwigger has leveled up Burp Suite's scanning arsenal with the latest Active Scan++ extension, version…
Unit 42 researchers at Palo Alto Networks exposed serious flaws in the Model Context Protocol…
Polish police have arrested three Ukrainian men traveling through Europe and seized a cache of…
Google has launched its most significant Chrome update ever, embedding Gemini AI across the browser…
Attackers exploit this vulnerability through the router's web interface components, specifically "cgibin" and "hnap_main," by…
Security researchers have uncovered a severe flaw in Apache Tika, a popular open-source toolkit for…