CVE-2025-47388 Overview
CVE-2025-47388 is a memory corruption vulnerability affecting a broad range of Qualcomm chipsets and firmware components. The flaw occurs when memory pages are passed to the Digital Signal Processor (DSP) with an unaligned starting address. The condition maps to [CWE-120] (Buffer Copy without Checking Size of Input) and can be triggered locally by a low-privileged process with access to the DSP interface. Successful exploitation can compromise the confidentiality, integrity, and availability of the affected device. Qualcomm addressed the issue in the January 2026 Security Bulletin, which covers platforms ranging from Snapdragon mobile chipsets to FastConnect, wearables, audio codecs, and Wi-Fi/Bluetooth combo SoCs.
Critical Impact
A local, low-privileged attacker can corrupt DSP memory by submitting unaligned page addresses, potentially achieving code execution or persistent device compromise across dozens of Qualcomm platforms.
Affected Products
- Qualcomm Snapdragon 4 Gen 2, Snapdragon 6 Gen 1, and Snapdragon W5+ Gen 1 mobile/wearable platforms
- Qualcomm FastConnect 6200, 6700, 6900, and 7800 connectivity firmware
- Qualcomm WCD, WCN, WSA, SXR, SM, SG, SW, QCS, QMP, and Video Collaboration platform firmware listed in the January 2026 bulletin
Discovery Timeline
- 2026-01-07 - CVE-2025-47388 published to NVD alongside the Qualcomm January 2026 Security Bulletin
- 2026-01-27 - Last updated in NVD database
Technical Details for CVE-2025-47388
Vulnerability Analysis
The vulnerability resides in the code path that hands off memory pages from a host processor context to the Qualcomm DSP. When the caller supplies a starting address that is not aligned to the expected page boundary, the DSP-side handling logic fails to safely compute buffer bounds. The result is memory corruption inside DSP-accessible memory regions, which can be leveraged to overwrite adjacent structures or control data. Because the DSP runs privileged firmware that interacts with audio, sensor, modem, and connectivity subsystems, corruption inside this trust domain can cascade into wider compromise of the platform.
Root Cause
The defect is an input validation failure on the alignment of the starting address used during page transfer to the DSP. The handler assumes properly aligned input and performs size and offset arithmetic without enforcing the alignment invariant. This matches the [CWE-120] classification, where insufficient checks before a buffer copy lead to out-of-bounds writes inside DSP-mapped memory.
Attack Vector
Exploitation requires local access with low privileges and no user interaction. An attacker with the ability to invoke the affected DSP interface, typically a compromised application or service with permission to call DSP IOCTLs, can craft a request that references an unaligned page address. The malformed request triggers the corruption inside the DSP firmware context. Network exploitation is not possible; the attack surface is confined to local callers of the DSP driver on the affected SoC. See the Qualcomm January 2026 Security Bulletin for vendor confirmation.
Detection Methods for CVE-2025-47388
Indicators of Compromise
- Unexpected DSP subsystem crashes, restarts, or SubSystem Restart (SSR) events recorded in device logs
- Kernel messages from the Qualcomm FastRPC or ADSPRPC driver referencing invalid page mappings or unaligned addresses
- Applications repeatedly invoking DSP IOCTLs from non-standard or unprivileged contexts
Detection Strategies
- Monitor mobile device telemetry for abnormal frequency of DSP/ADSP/CDSP subsystem resets that correlate with specific applications
- Inspect bug reports and dmesg-style kernel logs for FastRPC errors involving page alignment or buffer validation failures
- Track installed applications that request access to DSP interfaces and flag those without a legitimate audio, camera, or ML workload
Monitoring Recommendations
- Centralize mobile and embedded device crash telemetry to spot clusters of DSP faults across a fleet
- Alert on installation of unsigned or sideloaded packages on devices built around the affected Qualcomm SoCs
- Correlate DSP fault events with process execution data to identify the originating caller
How to Mitigate CVE-2025-47388
Immediate Actions Required
- Inventory devices and embedded products that use the Qualcomm chipsets listed in the January 2026 bulletin and prioritize them for patching
- Apply the OEM firmware update that incorporates the Qualcomm January 2026 fix as soon as it is available for each affected device
- Restrict installation of untrusted applications on affected devices until firmware updates are deployed
Patch Information
Qualcomm has released fixes for this issue as part of its January 2026 Security Bulletin. Patches are distributed to OEMs, who must integrate them into device-specific firmware and operating system updates. End users and enterprise administrators should track vendor and carrier release notes for the corresponding updates on each affected product line.
Workarounds
- No vendor-supplied workaround exists; reduce risk by limiting local code execution on affected devices to trusted applications
- Enforce mobile device management (MDM) policies that block sideloading and restrict access to development or debugging interfaces
- Decommission or isolate end-of-life devices that will not receive an OEM update incorporating the Qualcomm fix
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
