CVE-2025-21484 Overview
CVE-2025-21484 is an information disclosure vulnerability affecting a broad range of Qualcomm chipsets and firmware. The flaw occurs when the User Equipment (UE) receives a Real-time Transport Protocol (RTP) packet from the network and decodes or reassembles its fragments. Improper handling during fragment reassembly enables an attacker on the network to read memory contents beyond the intended buffer boundaries. The vulnerability is classified under [CWE-126: Buffer Over-read].
Critical Impact
A network-adjacent attacker can trigger out-of-bounds memory disclosure on devices using affected Qualcomm modems and firmware, potentially exposing sensitive memory contents without requiring authentication or user interaction.
Affected Products
- Qualcomm Snapdragon mobile platforms (including Snapdragon 8 Gen 3, 8+ Gen 1, 865 5G, 855, 845, and 4 Gen 1)
- Qualcomm automotive and XR platforms (SA8255P, SA8775P, Snapdragon XR2 5G, Snapdragon 820 Automotive Platform)
- Qualcomm FastConnect, QCA, WCN, WCD, and WSA connectivity and audio firmware components
Discovery Timeline
- 2025-09-24 - CVE CVE-2025-21484 published to NVD
- 2026-02-10 - Last updated in NVD database
Technical Details for CVE-2025-21484
Vulnerability Analysis
The vulnerability resides in the RTP packet processing path within Qualcomm modem firmware. RTP is the transport protocol used for delivering audio and video over IP networks, including VoLTE and VoNR voice calls. When the UE receives RTP packets that contain fragmented payloads, the firmware decodes and reassembles those fragments before passing them to upper layers. During this reassembly, the code fails to correctly validate fragment boundaries against the underlying buffer size.
Because the flaw is reachable across the network without authentication or user interaction, an attacker capable of injecting or modifying RTP traffic toward a target UE can repeatedly trigger the over-read. The disclosed data may contain residual contents of adjacent memory regions on the modem processor.
Root Cause
The root cause is a buffer over-read [CWE-126] in the RTP fragment reassembly routine. The decoder reads past the end of a source buffer when computing offsets or lengths derived from attacker-controlled fields in the RTP packet header. Missing bounds checks during fragment concatenation allow the read pointer to advance beyond allocated memory.
Attack Vector
Exploitation requires the attacker to deliver crafted RTP packets to the UE over the network path used for media transport. This can occur through a rogue or compromised IMS/VoLTE infrastructure, a man-in-the-middle position on the media path, or any scenario where an attacker controls the RTP stream sent to the device. No user interaction or prior authentication is required. Successful exploitation discloses memory contents from the modem subsystem and may also induce limited availability impact.
Detection Methods for CVE-2025-21484
Indicators of Compromise
- Anomalous or malformed RTP packets directed at mobile devices, particularly fragments with inconsistent length fields or unexpected sequence patterns
- Repeated RTP sessions from untrusted or unexpected IMS peers targeting the same UE
- Unexpected modem crashes, resets, or diagnostic logs referencing RTP decode or reassembly errors
Detection Strategies
- Inspect IMS/VoLTE media traffic at the carrier or enterprise edge for RTP packets with malformed fragmentation headers
- Monitor mobile device telemetry for modem subsystem restarts correlated with active voice or video sessions
- Correlate device firmware versions against the Qualcomm September 2025 security bulletin to identify unpatched assets
Monitoring Recommendations
- Enable logging on IMS core components for abnormal RTP packet structures and fragmentation anomalies
- Track mobile fleet patch levels through Mobile Device Management (MDM) to confirm distribution of the vendor patch
- Capture and review modem crash reports from managed devices for signatures consistent with RTP decoder faults
How to Mitigate CVE-2025-21484
Immediate Actions Required
- Identify all devices in the environment using affected Qualcomm chipsets and firmware listed in the vendor advisory
- Apply the firmware updates distributed by device OEMs incorporating Qualcomm's September 2025 patch as soon as they become available
- Restrict use of untrusted Wi-Fi calling or unknown IMS networks on high-value devices until patches are deployed
Patch Information
Qualcomm released the fix as part of its September 2025 Security Bulletin. Device manufacturers must integrate the patched modem firmware into their OEM updates. Refer to the Qualcomm Security Bulletin September 2025 for complete component-level patch details and affected version mappings.
Workarounds
- No vendor-provided workaround exists; firmware update is the only complete remediation
- Where feasible, prefer carrier networks with validated IMS infrastructure and avoid attaching to untrusted small cells or femtocells
- Disable VoLTE/VoNR or Wi-Fi calling on devices that cannot be patched promptly and where voice services can tolerate fallback
# Verify patch level on Android devices (example)
adb shell getprop ro.build.version.security_patch
adb shell getprop ro.vendor.build.security_patch
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
