CVE-2025-47372 Overview
CVE-2025-47372 is a memory corruption vulnerability affecting a wide range of Qualcomm automotive and connectivity firmware platforms. The flaw occurs when a corrupted Executable and Linkable Format (ELF) image with an oversized declared file size is read into a buffer without authentication. An attacker with local access can trigger an out-of-bounds write that corrupts adjacent memory and compromises confidentiality, integrity, and availability of the affected component. Qualcomm disclosed the issue in the Qualcomm December 2025 Security Bulletin. The vulnerability is tracked under [CWE-120] (Buffer Copy without Checking Size of Input) and [CWE-787] (Out-of-bounds Write).
Critical Impact
A local attacker can supply a malformed ELF image to trigger memory corruption, enabling code execution or denial of service across affected Qualcomm chipsets without authentication.
Affected Products
- Qualcomm automotive platforms including SA8255P, SA8620P, SA8650P, SA8770P, SA8775P, SA7255P, SA7775P, and SA9000P firmware
- Qualcomm QAM8255P, QAM8620P, QAM8650P, QAM8775P, QAMSRV1H, and QAMSRV1M firmware
- Qualcomm connectivity chipsets QCA6595, QCA6595AU, QCA6678AQ, QCA6696, QCA6698AQ, QCA6797AQ, and SRV1H/SRV1L/SRV1M firmware
Discovery Timeline
- 2025-12-18 - CVE-2025-47372 published to NVD
- 2025-12-23 - Last updated in NVD database
Technical Details for CVE-2025-47372
Vulnerability Analysis
The vulnerability resides in the ELF image loading logic used by affected Qualcomm firmware components. When the loader processes an ELF image, it trusts the file size value embedded within the image header and copies the contents into an internal buffer without performing bounds validation. A crafted ELF image declaring a size larger than the destination buffer causes the read or copy operation to overrun the allocated region.
Because the loader does not authenticate the ELF image before parsing the size field, an attacker does not need cryptographic material or signing keys. The corruption affects components running in privileged contexts on the chipset, which makes successful exploitation impactful for confidentiality, integrity, and availability.
Root Cause
The root cause is the absence of a size check between the ELF file size attribute and the destination buffer length. The code path matches [CWE-120], a classic buffer copy without input validation, and produces an [CWE-787] out-of-bounds write when the parser advances past the buffer boundary. Authentication of the ELF image is also performed too late, allowing untrusted data to drive memory operations.
Attack Vector
Exploitation requires local access to the device or to a context that can supply an ELF image to the vulnerable loader. The attack requires no privileges and no user interaction. A local attacker delivers a malformed ELF image, for example through a privileged user-space process or a peripheral interface that feeds firmware loading, and the oversized size field forces the loader to write beyond the buffer. The result ranges from controlled memory corruption suitable for code execution to firmware crash and reboot.
No public proof-of-concept exploit is available, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.
Detection Methods for CVE-2025-47372
Indicators of Compromise
- Unexpected resets, watchdog timeouts, or kernel panics on affected Qualcomm automotive or connectivity components during firmware or subsystem loading
- ELF images present on the device with header e_shoff, e_phoff, or section size fields that exceed the actual file size on disk
- Loader or subsystem logs reporting ELF parsing errors immediately followed by component restarts
Detection Strategies
- Compare the firmware build identifiers on deployed devices against the fixed versions referenced in the Qualcomm December 2025 Security Bulletin
- Monitor subsystem crash dumps for signatures consistent with out-of-bounds writes during ELF loading, including corrupted stack canaries or invalid return addresses inside loader functions
- Validate ELF images at higher layers by checking that declared segment and section sizes are consistent with the file size before passing them to the vulnerable loader
Monitoring Recommendations
- Centralize device telemetry from vehicle gateways and connectivity modules to flag repeated subsystem restarts tied to firmware loading
- Track integrity events from secure boot and remote attestation services to catch tampering with firmware payloads delivered to affected chipsets
- Alert on local processes attempting to load unsigned or unexpected ELF images into Qualcomm DSP, modem, or automotive subsystems
How to Mitigate CVE-2025-47372
Immediate Actions Required
- Apply the firmware updates referenced in the Qualcomm December 2025 Security Bulletin for every affected SoC and connectivity chipset in inventory
- Coordinate with OEMs and Tier 1 vehicle suppliers to schedule over-the-air or service-bay updates for impacted automotive platforms such as SA8255P, SA8775P, and QAM8255P
- Restrict local access to interfaces that can submit ELF images to the affected loaders, including debug ports and privileged user-space services
Patch Information
Qualcomm published fixes in the December 2025 Security Bulletin. Device manufacturers must integrate the updated firmware into their platform builds and distribute it to deployed devices. Refer to the bulletin for component-specific patch identifiers and required minimum firmware versions.
Workarounds
- Where patching is not yet feasible, validate ELF images in a higher-privilege wrapper before handing them to the vulnerable loader, rejecting any image whose declared sizes exceed the actual file length
- Enforce strict access control on local interfaces and processes that can deliver firmware blobs to Qualcomm subsystems
- Enable secure boot and runtime integrity checks so that unauthorized firmware modifications produce attestation failures rather than silent loads
# Configuration example
# Verify ELF size consistency before forwarding to the vulnerable loader
actual_size=$(stat -c%s "$ELF_IMAGE")
declared_size=$(readelf -h "$ELF_IMAGE" | awk '/Size of this header/ {h=$NF} /Number of program headers/ {n=$NF} END {print h*n}')
if [ "$declared_size" -gt "$actual_size" ]; then
echo "Rejecting malformed ELF: declared size exceeds file size"
exit 1
fi
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
