CVE Alert: CVE-2025-47329 - Qualcomm, Inc. - Snapdragon

CVE-2025-47329

HIGHNo exploitation known

Memory corruption while handling invalid inputs in application info setup.

CVSS v3.1 (7.8)

AV LOCAL · AC LOW · PR LOW · UI NONE · S UNCHANGED

Vendor

Qualcomm, Inc.

Product

Snapdragon

Versions

FastConnect 7800 | QAM8255P | QAM8775P | QCA6574 | QCA6574A | QCA6574AU | QCA6595 | QCA6595AU | QCA6696 | QCM6690 | QCS6690 | SA6155P | SA8155P | SA8195P | SA8255P | SA8770P | SA8775P | SA9000P | Snapdragon 8 Gen 3 Mobile Platform | Snapdragon AR1 Gen 1 Platform | Snapdragon AR1 Gen 1 Platform "Luna1" | Snapdragon W5+ Gen 1 Wearable Platform | SW5100 | SW5100P | WCD9380 | WCD9385 | WCD9390 | WCD9395 | WCN6450 | WCN6755 | WCN7861 | WCN7881 | WSA8830 | WSA8832 | WSA8835 | WSA8840 | WSA8845 | WSA8845H

CWE

CWE-763, CWE-763: Release of Invalid Pointer or Reference

Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Published

2025-09-24T15:33:56.356Z

Updated

2025-09-24T15:33:56.356Z

References

https://docs.qualcomm.com/product/publicresources/securitybulletin/september-2025-bulletin.html

AI Summary Analysis

Risk verdict

High risk: memory corruption during application info setup can be triggered with local access and no user interaction, potentially compromising confidentiality, integrity and availability.

Why this matters

Qualcomm Snapdragon components are deployed across automotive, industrial IoT and wearable platforms, so an attacker with local access could disrupt critical services or exfiltrate sensitive data from multiple device classes. The combination of low privileges and no UI interaction lowers the bar for exploitation, making rapid remediation essential to reduce exposure.

Most likely attack path

An attacker granted local access crafts input to the application info setup flow, triggering a memory corruption fault. The exploit requires no user interaction and could execute code with low privileges, potentially enabling control of the affected component. Lateral movement within the device is plausible only if other subsystems share the corrupted memory context or rely on the same vulnerable path.

Who is most exposed

Devices with exposed application setup interfaces or unlockable configuration pathways on Snapdragon-based systems—especially in automotive infotainment, industrial IoT controllers and wearables—are at higher risk.

Detection ideas

Frequent crashes or reboots during application info setup; memory faults reported in crash dumps.
Logs showing invalid pointer dereferences or CWE-763 indicators near the setup code.
Anomalous, elevated error rates in the UI-less setup path.
Unusual, unexpected terminations of processes handling application information.
Evidence of anomalous low-privilege process code execution.

Mitigation and prioritisation

Apply the vendor security update or firmware patch that fixes the memory corruption in the affected setup path; coordinate with device release timelines.
Implement input validation hardening and bounds checking around the application info setup workflow.
Enable memory protection features (ASLR, DEP, sandboxing) and restrict or audit the setup interface access.
Consider temporary compensating controls: disable non-essential setup options, require code signing for setup inputs, and implement robust monitoring of the setup process.
Plan a staged rollout with regression testing in lab and pilot environments; monitor for related crash indicators post-deployment.

A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below

Buy Me A Coffee

Patreon

To keep up to date follow us on the below channels.

Tags: CVE, cve-2025-47329, OSINT, qualcomm-inc, snapdragon, threatintel