CVE-2025-21487 Overview
CVE-2025-21487 is an information disclosure vulnerability in Qualcomm modem firmware affecting a wide range of Snapdragon, FastConnect, and related chipsets. The flaw occurs while decoding a Real-time Transport Protocol (RTP) packet received by the User Equipment (UE) from the network. When the payload length field exceeds the available buffer length, the decoder reads memory beyond the buffer boundary. This results in a buffer over-read [CWE-126], leaking modem memory contents to a remote network attacker. Qualcomm published the issue in its September 2025 Security Bulletin.
Critical Impact
A network-positioned attacker can trigger out-of-bounds reads in the modem's RTP handler to disclose sensitive memory contents from affected Qualcomm baseband devices without user interaction.
Affected Products
- Qualcomm Snapdragon mobile platforms (including 8 Gen 1/2/3, 8+ Gen 1/2, 888, 865, 855, 845, 765, 480, 460)
- Qualcomm FastConnect 6200/6700/6800/6900/7800 and Snapdragon X50/X55 5G Modem-RF Systems
- Qualcomm automotive (SA8155P, SA8295P, SA8775P), wearable (W5+ Gen 1), and XR platforms
Discovery Timeline
- 2025-09-24 - CVE-2025-21487 published to NVD
- 2025-11-28 - Last updated in NVD database
Technical Details for CVE-2025-21487
Vulnerability Analysis
The vulnerability resides in the modem's RTP packet decoder, which is invoked when the UE processes RTP traffic delivered by the network. RTP is the transport used for voice and media streams in IMS/VoLTE/VoNR services. During decoding, the implementation trusts a payload length field declared in the packet header without properly validating it against the actual size of the receive buffer.
When the declared payload length is larger than the available buffer, the parser reads adjacent memory regions belonging to the modem's address space. The data read can include residual state, control structures, or sensitive information processed by the baseband. Because the modem operates as a privileged isolated subsystem on Snapdragon SoCs, leaked content can include data unreachable from the application processor under normal conditions.
Root Cause
The defect is classified as Buffer Over-read [CWE-126]. The RTP decoder uses a length field supplied by the remote sender as the basis for a copy or read operation without performing a bounds check against the actual buffer capacity. This missing validation allows the read primitive to extend past the allocated region.
Attack Vector
Exploitation requires only network adjacency. An attacker capable of delivering crafted RTP packets to the UE, such as through a rogue IMS peer, a compromised carrier element, or a malicious SIP/RTP session, can trigger the over-read by setting the payload length field to a value greater than the actual payload. No authentication, user interaction, or local access is required. The result is information disclosure with potential limited availability impact on the modem subsystem.
// No verified proof-of-concept code is publicly available.
// See the Qualcomm September 2025 Security Bulletin for technical details.
Detection Methods for CVE-2025-21487
Indicators of Compromise
- Anomalous RTP packets where the declared payload length does not match the UDP/IP transport-derived size.
- Unexpected modem crashes, resets, or diagnostic logs referencing RTP decoding routines.
- VoLTE/VoNR session anomalies originating from untrusted or unexpected IMS peers.
Detection Strategies
- Inspect RTP traffic at carrier edge or enterprise mobile gateways for header length fields exceeding the actual datagram payload size.
- Correlate baseband crash dumps and modem subsystem restarts with inbound RTP signaling events.
- Monitor IMS signaling for unusual SDP parameters preceding malformed RTP media streams.
Monitoring Recommendations
- Enable carrier-grade IMS/RTP anomaly logging where supported and review for malformed packet patterns.
- Track Qualcomm security bulletin advisories and OEM patch level (SPL) deployment status across the mobile fleet.
- For managed mobile estates, use mobile threat defense telemetry to surface devices on outdated baseband firmware.
How to Mitigate CVE-2025-21487
Immediate Actions Required
- Apply the September 2025 (or later) Qualcomm security patch level via OEM device updates as soon as it becomes available for the affected hardware.
- Inventory devices using the affected chipsets listed in the Qualcomm bulletin and prioritize patching for high-risk users.
- Restrict use of untrusted Wi-Fi calling and third-party IMS services on unpatched devices.
Patch Information
Qualcomm addressed the issue in its September 2025 Security Bulletin. Refer to the Qualcomm Security Bulletin September 2025 for the list of fixed components. Device-level fixes are delivered by OEMs through firmware/SPL updates; verify the security patch level on each device after installation.
Workarounds
- Disable VoLTE/VoNR/Wi-Fi calling on devices that cannot be patched promptly, where operationally acceptable.
- Avoid connecting to untrusted carrier networks or rogue base stations and prefer carriers that filter malformed RTP at the IMS edge.
- Apply enterprise mobile policies restricting installation of apps that establish arbitrary RTP/SIP sessions.
# Verify the Android security patch level on a managed device
adb shell getprop ro.build.version.security_patch
# Confirm the value is 2025-09-01 or later before considering the device patched
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
