CVE-2025-47371 Overview
CVE-2025-47371 is a transient denial of service vulnerability affecting a wide range of Qualcomm chipset firmware. The vulnerability occurs when an LTE RLC (Radio Link Control) packet with an invalid Transport Block (TB) is received by the User Equipment (UE). This flaw in packet validation within the LTE modem firmware can cause temporary service disruption on affected mobile devices, fixed wireless access platforms, and automotive systems.
The vulnerability is classified under CWE-617 (Reachable Assertion), indicating that the firmware contains an assertion that can be triggered by malformed network data, leading to a denial of service condition. Given the adjacent network attack vector required for exploitation, an attacker would need to be within radio proximity of the target device or have access to cellular infrastructure to send malicious LTE packets.
Critical Impact
Attackers within radio proximity can cause temporary service disruption on affected Qualcomm-based mobile devices, IoT systems, and automotive platforms by sending malformed LTE packets.
Affected Products
- Qualcomm Snapdragon 8 Gen 1/2/3 Mobile Platforms and Firmware
- Qualcomm Snapdragon X55/X65/X72/X75/X80 5G Modem-RF Systems
- Qualcomm FastConnect 6200/6700/6800/6900/7800 Wi-Fi/Bluetooth Chipsets
- Qualcomm Snapdragon Auto 5G Modem-RF (Gen 1 and Gen 2)
- Qualcomm 5G Fixed Wireless Access Platform
- Qualcomm Robotics RB2 Platform
- Qualcomm QCS/QCM Series Compute Platforms
Discovery Timeline
- March 2, 2026 - CVE-2025-47371 published to NVD
- March 4, 2026 - Last updated in NVD database
Technical Details for CVE-2025-47371
Vulnerability Analysis
This vulnerability exists in the LTE RLC layer processing within Qualcomm modem firmware. The Radio Link Control protocol is responsible for segmentation, reassembly, and reliable delivery of data over the LTE air interface. When processing incoming RLC packets, the firmware expects Transport Block data to conform to specific structural requirements.
The vulnerability manifests when the modem receives an RLC packet containing an invalid Transport Block. Rather than gracefully handling this malformed input, the firmware triggers a reachable assertion (CWE-617), causing a transient denial of service condition. The "transient" nature indicates the device can recover from this state, though service interruption occurs during the recovery period.
The attack requires adjacent network access, meaning an attacker must be within LTE radio range of the target device or have compromised cellular infrastructure capable of injecting malicious packets. No user interaction or authentication is required to trigger the vulnerability.
Root Cause
The root cause is improper input validation in the LTE RLC packet processing code within Qualcomm modem firmware. The firmware contains an assertion that checks Transport Block validity, but this assertion is reachable via external input rather than being limited to internal error conditions. When the assertion fails due to an invalid TB in a received RLC packet, it causes the modem to enter an error state resulting in service disruption.
This type of vulnerability typically occurs when assertions intended for development debugging remain in production code, or when input validation relies on assertions rather than proper error handling with graceful recovery.
Attack Vector
The attack leverages the LTE air interface to deliver malicious packets to vulnerable devices. An attacker would need to either operate a rogue base station within radio proximity of the target or compromise legitimate cellular infrastructure. The attack flow involves:
- Attacker establishes or compromises an LTE cell tower within range of target devices
- Malformed LTE RLC packets with invalid Transport Block data are crafted
- These packets are transmitted to target User Equipment over the air interface
- The vulnerable modem firmware processes the packet and triggers the assertion
- Service disruption occurs until the modem recovers
The vulnerability description indicates this is a low complexity attack requiring no privileges or user interaction, making it potentially impactful in scenarios where an attacker has radio access to target devices.
Detection Methods for CVE-2025-47371
Indicators of Compromise
- Repeated unexpected LTE connection drops or modem resets on affected devices
- Device logs showing modem crash or assertion failures during LTE operation
- Unusual patterns of RLC layer errors reported in modem diagnostics
- Multiple devices in the same location experiencing simultaneous connectivity issues
Detection Strategies
- Monitor device fleet for patterns of unexplained LTE modem resets or connectivity failures
- Enable modem crash dump collection to identify assertion failures in RLC processing
- Implement network-level monitoring for anomalous RLC packet patterns if cellular infrastructure visibility is available
- Correlate connectivity issues across multiple devices to identify potential localized attacks
Monitoring Recommendations
- Deploy endpoint telemetry solutions to track modem stability metrics across device fleets
- Configure alerting on elevated rates of modem restart events in enterprise mobile device management systems
- For automotive and IoT deployments, implement connectivity health monitoring with anomaly detection
- Review device diagnostic logs for CWE-617 related assertion failures in modem subsystems
How to Mitigate CVE-2025-47371
Immediate Actions Required
- Review Qualcomm's March 2026 Security Bulletin for device-specific patch availability
- Apply firmware updates from device manufacturers (OEMs) as they become available
- Prioritize patching for critical infrastructure systems including automotive and fixed wireless access deployments
- Inventory all devices with affected Qualcomm chipsets to track patch deployment progress
Patch Information
Qualcomm has addressed this vulnerability in the March 2026 security bulletin. Organizations should monitor for firmware updates from their specific device manufacturers, as Qualcomm provides patches to OEMs who then integrate and distribute updates for their products. The Qualcomm Security Bulletin March 2026 contains the official advisory and affected chipset list.
Due to the nature of modem firmware updates, patches are typically delivered through OEM firmware updates, Android security bulletins (for mobile devices), or vendor-specific update channels for automotive and IoT systems.
Workarounds
- No direct user-level workarounds are available for this modem firmware vulnerability
- For high-security environments, consider limiting LTE connectivity in favor of other network types where feasible until patches are applied
- In automotive and industrial IoT contexts, assess whether affected devices can be isolated or connectivity requirements reduced during the patching window
- Enterprise mobile device management can be used to prioritize and track firmware update deployment across affected device fleets
# Verify device firmware version (Android example)
# Check Settings > About Phone > Baseband version
# Compare against vendor security bulletin for patch status
# For enterprise fleet management, query modem firmware versions:
adb shell getprop gsm.version.baseband
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
