CVE Alert: CVE-2025-47361 – Qualcomm, Inc. – Snapdragon

Risk verdict

High severity local memory corruption vulnerability; patch promptly when a fix is available, with urgency if exploitation becomes observable.

Why this matters

Exploitation requires local access with low privileges and no user interaction, but the impact can be a crash or corruption of critical in-vehicle subsystems and data. In automotive contexts, such misuse can degrade safety‑critical functions or enable lateral movement within the same trust boundary, especially on QNX‑based Snapdragon Auto platforms.

Most likely attack path

An attacker with local access could trigger the issue by sending input containing an out‑of‑range identifier to a subsystem function that performs array indexing. The lack of user interaction means automated or device‑internal exploit paths are plausible, potentially causing a crash or state corruption without privilege escalation beyond the initial foothold. Scope is unchanged, so damage remains within the affected subsystem rather than cross‑domain.

Who is most exposed

Vehicles deploying Qualcomm Snapdragon Auto platforms with QNX‑based automotive software are most exposed, particularly infotainment and domain controller subsystems that expose array‑indexing interfaces to internal components.

Detection ideas

• Subsystem crashes or watchdog resets linked to out‑of‑range indices in memory access paths.
• Memory corruption crash dumps or stack traces pointing to array indexing code.
• Anomalous locally generated IPC/API calls carrying invalid IDs.
• Repetitive crash or fault events initiated without user interaction.
• Unusual memory access patterns in crash and diagnostic logs.

Mitigation and prioritisation

• Apply the vendor’s November 2025 security bulletin patch to all affected components; schedule via standard OTA or service campaigns.
• Implement compensating controls: restrict local component access to trusted processes, segment IPC endpoints, disable unused services, enable memory safety monitoring.
• Change-management: validate in a safe testbed for safety-critical subsystems before deployment; plan phased rollout in vehicles with rollback capabilities.
• Verification: confirm patch removes observed crash patterns in test scenarios; run regression tests for safety‑relevant functions.
• Prioritisation: treat as priority 1 if KEV is true or EPSS ≥ 0.5; otherwise proceed with prompt remediation based on vehicle exposure and patch availability.