CVE-2025-21484 Overview
CVE-2025-21484 is an information disclosure vulnerability affecting a broad range of Qualcomm Snapdragon firmware platforms. The flaw resides in the User Equipment (UE) modem code that decodes and reassembles fragments from Real-time Transport Protocol (RTP) packets received over the network. Improper bounds handling during fragment reassembly allows an unauthenticated remote attacker to read memory beyond the intended buffer, leaking sensitive information from the modem subsystem. The weakness is classified under CWE-126: Buffer Over-read. Qualcomm published a patch in its September 2025 Security Bulletin.
Critical Impact
A remote attacker can send a crafted RTP packet to the UE and disclose memory contents from the modem without authentication or user interaction.
Affected Products
- Qualcomm Snapdragon Mobile Platforms (including Snapdragon 8 Gen 3, 8+ Gen 1, 865, 855, 845, 835)
- Qualcomm Snapdragon Automotive, Wearable, XR, and Compute Platforms (SA8155P, SA8295P, SA8775P, SW5100, SXR2130)
- Qualcomm FastConnect, QCA, WCN, WCD, and WSA series firmware components
Discovery Timeline
- 2025-09-24 - CVE-2025-21484 published to NVD
- 2025-09 - Qualcomm releases security patch in September 2025 Bulletin
- 2026-02-10 - Last updated in NVD database
Technical Details for CVE-2025-21484
Vulnerability Analysis
The vulnerability occurs in the RTP processing path of Qualcomm's UE modem firmware. When the modem receives an RTP packet that has been fragmented for transport, it must decode each fragment and reassemble the payload into a complete frame. The reassembly routine reads past the allocated buffer boundary, returning adjacent memory contents to the caller. This buffer over-read condition exposes data residing in the modem's memory space, which can include protocol state, session identifiers, or other transient information.
Because RTP carries real-time voice and video media in cellular networks (VoLTE, VoNR, ViLTE), the affected code path executes against packets sourced from peer endpoints or hostile network elements. The attacker does not need credentials or interaction from the device user.
Root Cause
The defect is a CWE-126 Buffer Over-read in the fragment reassembly logic. Length fields supplied by the network are trusted without sufficient validation against the destination buffer size, causing the decoder to read beyond the end of the input or output buffer during reassembly.
Attack Vector
Exploitation is performed over the network. An attacker capable of delivering RTP traffic to the target UE crafts fragmented RTP packets with malformed length or fragmentation indicators. When the modem processes these fragments, it over-reads memory and returns the leaked bytes either in error responses or in subsequent media frames observable to the attacker. No authentication or user action is required.
No verified public proof-of-concept code is available for this issue. Refer to the Qualcomm September 2025 Security Bulletin for vendor technical details.
Detection Methods for CVE-2025-21484
Indicators of Compromise
- Unusually high volume of malformed or fragmented RTP packets directed at mobile endpoints or carrier infrastructure
- RTP sessions originating from unexpected SIP or IMS peers that immediately initiate fragmented media
- Modem subsystem crashes or radio interface anomalies correlated with inbound RTP traffic
Detection Strategies
- Inspect RTP traffic at IMS or SBC boundaries for fragment length fields that exceed declared payload sizes
- Apply protocol-aware deep packet inspection to flag non-conformant RTP fragmentation patterns
- Correlate modem firmware logs with network telemetry to identify suspect remote peers
Monitoring Recommendations
- Track firmware versions across mobile, automotive, IoT, and XR fleets to confirm patch coverage against the September 2025 Qualcomm bulletin
- Forward modem and baseband diagnostic events to a centralized log platform for anomaly review
- Monitor for repeated RTP session resets or media decoding failures that may indicate exploitation attempts
How to Mitigate CVE-2025-21484
Immediate Actions Required
- Apply the firmware updates referenced in the Qualcomm September 2025 Security Bulletin to all affected Snapdragon and Qualcomm chipset-based devices
- Coordinate with OEMs and carriers to confirm patched firmware images are pushed through over-the-air update channels
- Inventory deployed devices using the affected platform list and prioritize internet-facing and high-value endpoints
Patch Information
Qualcomm released fixes as part of the September 2025 Security Bulletin. Device manufacturers integrate these patches into their respective Android, automotive, and IoT firmware releases. Verify the patch level reported by each device matches or exceeds the September 2025 security patch level.
Workarounds
- Restrict RTP and IMS media flows to trusted peers using carrier-side filtering where feasible
- Disable VoLTE or VoNR on managed devices that do not require cellular voice services until patched firmware is deployed
- Enforce network-level rate limiting and anomaly filtering on RTP fragmentation patterns at the carrier edge
# Verify Android security patch level on managed devices
adb shell getprop ro.build.version.security_patch
# Expected output: 2025-09-01 or later
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
