CVE Alert: CVE-2025-47360 – Qualcomm, Inc. – Snapdragon

Risk verdict

High risk of local memory corruption on Qualcomm Snapdragon Auto platforms running QNX, with potential for arbitrary code execution; patching should be treated as a priority when vendor updates are available.

Why this matters

An attacker with local access could crash or seize control of device-management components, compromising safety‑critical ECUs or serviceability. In automotive contexts, even transient exploitation can enable further manipulation of vehicle subsystems or degrade confidence in updates and fleet operations.

Most likely attack path

Exploitation requires local access and low privileges, with no user interaction. An attacker crafts malformed client messages to the device-management stack; if the memory corruption is triggered, code execution or a denial of service could follow, while scope remains within the affected component.

Who is most exposed

Vehicles using Qualcomm Snapdragon Auto with QNX-based management services and exposed maintenance/debug interfaces are most at risk, particularly in fleets or aftermarket environments where physical access or service port availability is higher.

Detection ideas

• Crashes or watchdog resets during handling of client-management messages.
• Stack traces or memory-corruption dumps in device-management processes.
• Logs showing malformed or oversized client messages targeting the management interface.

Mitigation and prioritisation

• Apply vendor patches as soon as released; test in a controlled environment before deployment.
• Restrict access to device-management interfaces; disable unused debug ports; enforce strong authentication.
• Implement strict input validation and memory-safety protections (stack canaries, bounds checks) in the management component.
• Segment networks and enforce physical access controls to reduce local‑access risk.
• If KEV is true or EPSS ≥ 0.5 becomes known, treat as priority 1; otherwise follow standard patch cadence with interim mitigations.