Qualcomm Technologies has released its May 2026 Security Bulletin, disclosing 10 CVEs across proprietary and open-source software, including three Critical-rated vulnerabilities spanning remote code execution, PLC firmware exploitation, and bootloader memory corruption.
The bulletin affects a wide range of Snapdragon, FastConnect, and automotive chipsets, requiring immediate action from OEMs and enterprise device administrators.
The most severe flaw patched this cycle is CVE-2026-25254 (CVSS 9.8 Critical), a remotely exploitable Improper Authorization vulnerability in the Qualcomm Software Center (QSC).
Qualcomm May 2026 Bulletin
Classified under CWE-285, the flaw allows an unauthenticated remote attacker to achieve Remote Code Execution (RCE) via the SocketIO interface with no user interaction required. Affected versions include QSCv1.17.1, QSCv1.19.1, and QSCv1.21.0, reported on January 9, 2026, by security researcher Aaron Thacker.
Equally alarming is CVE-2026-25293 (CVSS 9.6 Critical), a buffer overflow caused by incorrect authorization in PLC Firmware (PLC FW) that affects QCA7005 chipsets used in industrial and smart-grid environments.
Discovered by Tobias Scharnowski, Felix Buchmann, and Kristian Covic of Fuzzware.io via Trend Micro’s Zero Day Initiative, this adjacent-network-accessible flaw carries a Scope: Changed rating, meaning a successful exploit could impact systems beyond the vulnerable component itself, a major concern for ICS/SCADA deployments.
The third Critical CVE, CVE-2026-25262 (CVSS 6.9 physical, Critical-rated), targets the Primary Bootloader across legacy chipsets, including MDM9x07, MDM9x45, MDM9x55, MDM9x65, MSM8909, MSM8916, MSM8952, and SDX50.
Classified as a CWE-123, the vulnerability enables memory corruption when processing a specially crafted ELF file, discovered by Alexander Kozlov of Kaspersky ICS CERT. Although requiring physical access and user interaction, a successful exploit could fully compromise boot integrity.
Two internally discovered WLAN vulnerabilities round out the high-severity tier. CVE-2025-47401 (CVSS 6.5) is a buffer overflow in WLAN HAL that causes a transient denial-of-service when processing malformed power rate tables during channel configuration.
Its sibling, CVE-2025-47403 (CVSS 6.5), affects WLAN Firmware and triggers a DoS via a malformed Fast Transition (802.11r) response frame, impacting over 200 chipsets, including the Snapdragon 8 Elite, Snapdragon 8 Gen 3, and the entire FastConnect 6200–7800 series, posing a significant risk in enterprise Wi-Fi environments.
CVE-2026-25255 (CVSS 8.8 High) is a particularly dangerous privilege escalation flaw in Qualcomm Package Manager (QPM) and Qualcomm Software Center, exposing a critical gRPC server function (CWE-749).
An attacker with low-privileged local access can exploit exposed gRPC endpoints to escalate to SYSTEM-level privileges. Affected versions include QPMv3.0.125.4, QPMv3.0.126.7, QPMv3.0.127.2, and QSCv1.17.1–v1.21.0, reported by the same researcher who found CVE-2026-25254.
CVE-2025-47408 (CVSS 7.8 High) affects WINBLAST-POWER firmware, where an Untrusted Pointer Dereference (CWE-822) enables memory corruption when a malicious driver submits invalid IOCTL buffers. This locally exploitable flaw affects the FastConnect 6200/6900/7800, Snapdragon XR2 5G Platform, SC8380XP, and SD865 5G chipsets.
Three moderate-severity CVEs were also disclosed. CVE-2025-47405 (CVSS 7.8) is an Untrusted Pointer Dereference in the Camera subsystem, triggering memory corruption via invalid camera sensor IOCTL output buffers.
CVE-2025-47406 (CVSS 6.1) is an information disclosure flaw in the DSP Service via IOCTL handler callbacks without proper buffer size validation affecting Snapdragon 8cx Gen 3, 7c+ Gen 3, and SC8380XP compute platforms.
CVE-2026-25266 (CVSS 5.5), affecting the Windows WLAN Host driver, causes memory corruption when an IOCTL command is processed. At the same time, the device is in a power-save state, a scenario particularly relevant on always-connected Snapdragon X-series Windows laptops.
On the open-source side, CVE-2026-24082 (CVSS 7.8 High) is a Use-After-Free vulnerability in the Automotive GPU component. Memory corruption occurs when copying data from a freed source during performance counter deselection.
The patch is available on CodeLinaro for kernel/msm-5.15. Additionally, CVE-2025-47404 is a Classic Buffer Overflow in Automotive Audio (CWE-120, CVSS 6.5), while CVE-2025-47407 is a TOCTOU Race Condition in the DSP Service (CWE-367, CVSS 7.8), both of which are addressed via open-source commits.
This bulletin affects an extraordinarily wide range of chipsets, from consumer Snapdragon 4/6/7/8 series mobile SoCs to automotive SA-series platforms, industrial IoT QCA chipsets, AR/XR platforms, and Windows-on-ARM compute devices.
With the 2026 threat landscape increasingly featuring automated vulnerability exploitation and AI-accelerated attack chains, unpatched firmware in these chipsets represents a high-value attack surface. Qualcomm has directly notified OEMs and strongly recommends immediate deployment of patches on all released devices.
Recommended actions:
- Contact your device OEM to verify patch deployment status for all affected Snapdragon-based hardware
- Enterprise IT teams should audit Windows-on-ARM fleets for CVE-2026-25255 and CVE-2026-25266 exposure
- ICS/SCADA operators running QCA7005-based PLC systems should treat CVE-2026-25293 as a P1 priority patch
- Developers using Qualcomm Software Center or Package Manager must upgrade to patched QSC and QPM versions immediately
- Monitor Qualcomm’s official security portal at www.qualcomm.com/support for OEM-specific patch availability
| CVE ID | CVSS Score | Area | Access | Key Risk |
|---|---|---|---|---|
| CVE-2026-25254 | 9.8 Critical | Qualcomm Software Center | Remote | Unauthenticated RCE via SocketIO |
| CVE-2026-25293 | 9.6 Critical | PLC Firmware | Adjacent | Buffer overflow, ICS/SCADA risk |
| CVE-2026-25262 | 6.9 Critical | Primary Bootloader | Physical | Boot integrity compromise |
| CVE-2026-25255 | 8.8 High | QPM / QSC | Local | Privilege escalation via gRPC |
| CVE-2025-47408 | 7.8 High | WINBLAST-POWER | Local | Memory corruption via IOCTL |
| CVE-2025-47401 | 6.5 High | WLAN HAL | Adjacent | Transient DoS |
| CVE-2025-47403 | 6.5 High | WLAN Firmware | Adjacent | DoS via malformed 802.11r frame |
| CVE-2026-24082 | 7.8 High | Automotive GPU | Local | Use-After-Free memory corruption |
| CVE-2025-47405 | 7.8 Medium | Camera | Local | Memory corruption via IOCTL |
| CVE-2025-47407 | 7.8 Medium | DSP Service | Local | TOCTOU race condition |
FAQ
Q1: What is the most critical vulnerability in the Qualcomm May 2026 bulletin?
CVE-2026-25254 is the most critical, scoring CVSS 9.8, allowing unauthenticated remote code execution via Qualcomm Software Center’s SocketIO interface with no user interaction required.
Q2: Which Qualcomm chipsets are affected by the WLAN vulnerabilities?
CVE-2025-47401 and CVE-2025-47403 affect over 200 chipsets, including Snapdragon 8 Elite, Snapdragon 8 Gen 1/2/3, FastConnect 6200–7800, and most Snapdragon mobile and compute platforms.
Q3: Are industrial and automotive systems at risk from this bulletin?
Yes, CVE-2026-25293 targets QCA7005-based PLC firmware used in industrial environments, and CVE-2026-24082 and CVE-2025-47404 affect automotive GPU and audio subsystems across SA-series chips.
Q4: How can users and OEMs obtain patches for the disclosed vulnerabilities?
OEMs should contact Qualcomm directly via www.qualcomm.com/support; open-source patches are publicly available on the CodeLinaro Git repository linked within the official May 2026 bulletin.
Site: thecybrdef.com
For more insights and updates, follow us on Google News, Twitter, and LinkedIn.
About the Author
