CVE-2025-47401 Overview
CVE-2025-47401 is a transient denial-of-service vulnerability affecting a wide range of Qualcomm chipsets and firmware. The flaw occurs when the WLAN subsystem processes target power rate tables during channel configuration. A malformed input can trigger an out-of-bounds read condition, causing the affected component to crash or become unresponsive until reset.
The vulnerability is classified under CWE-126 (Buffer Over-read) and CWE-125 (Out-of-bounds Read). It impacts Snapdragon mobile, automotive, compute, networking, and FastConnect platforms.
Critical Impact
A network-adjacent attacker can trigger a transient denial of service in WLAN-connected Qualcomm devices, disrupting wireless connectivity across mobile, automotive, IoT, and networking products.
Affected Products
- Qualcomm FastConnect 6200, 6700, 6900, and 7800 firmware
- Qualcomm Snapdragon 8 Gen 1/2/3, 8 Elite, 8 Elite Gen 5, and 888 5G mobile platforms
- Qualcomm IPQ, QCN, QCA, and Networking Pro series (full list in the Qualcomm Security Bulletin May 2026)
Discovery Timeline
- 2026-05-04 - CVE-2025-47401 published to NVD
- 2026-05-06 - Last updated in NVD database
Technical Details for CVE-2025-47401
Vulnerability Analysis
The defect resides in the WLAN firmware logic responsible for processing target power rate tables during channel configuration. When a channel switch or configuration event occurs, the firmware parses rate table structures supplied by the system or received over the air.
Insufficient validation of table size or index boundaries permits the parser to read beyond the allocated buffer. This out-of-bounds read leads to a transient crash of the WLAN subsystem. The component recovers after a reset, but wireless connectivity is interrupted.
The attack vector is network-based and requires no authentication or user interaction. Successful exploitation only impacts availability — confidentiality and integrity are not affected. Because the WLAN firmware runs across hundreds of Qualcomm SoC variants, the exposure spans smartphones, automotive head units, fixed wireless access devices, and enterprise Wi-Fi infrastructure.
Root Cause
The root cause is a missing or insufficient bounds check when iterating over target power rate table entries. The firmware trusts a length or index field without validating it against the actual buffer size. This produces both a [CWE-126] buffer over-read and a [CWE-125] out-of-bounds read condition during channel configuration parsing.
Attack Vector
An attacker positioned within wireless range, or able to influence channel configuration messages, can send crafted frames or trigger configuration events that contain malformed rate table data. The WLAN subsystem processes the input, dereferences memory beyond the intended bounds, and crashes. No credentials or user interaction are required.
No public proof-of-concept code or in-the-wild exploitation has been reported for CVE-2025-47401.
Detection Methods for CVE-2025-47401
Indicators of Compromise
- Repeated WLAN firmware crashes or subsystem restarts logged in kernel or platform logs during channel switching events
- Unexpected loss of Wi-Fi connectivity coinciding with the presence of nearby unknown access points or beacon frames
- Anomalous wlan or cnss driver error entries referencing rate table or channel configuration failures
Detection Strategies
- Monitor device telemetry for spikes in WLAN driver restarts or SSR (subsystem restart) events on Qualcomm-based hardware
- Correlate Wi-Fi disconnects across multiple endpoints in the same RF environment to identify potential targeted DoS activity
- Inspect wireless intrusion detection sensors for malformed management or action frames preceding device crashes
Monitoring Recommendations
- Aggregate Android, automotive, and IoT device logs into a centralized SIEM to detect coordinated WLAN failures
- Track firmware versions across the fleet and flag devices running vulnerable Qualcomm WLAN firmware revisions
- Enable wireless IDS/IPS sensors capable of identifying malformed 802.11 frames targeting channel configuration
How to Mitigate CVE-2025-47401
Immediate Actions Required
- Apply the firmware updates referenced in the Qualcomm Security Bulletin May 2026 as soon as OEM patches become available
- Inventory all Qualcomm-based mobile, automotive, networking, and IoT devices to determine exposure across the affected product list
- Coordinate with device OEMs and carriers to confirm patch delivery timelines for downstream Snapdragon and FastConnect platforms
Patch Information
Qualcomm addressed CVE-2025-47401 in its May 2026 security bulletin. Vendors that integrate Qualcomm chipsets must distribute the corresponding firmware updates through their own update channels. Refer to the Qualcomm Security Bulletin May 2026 for the authoritative list of fixed components.
Workarounds
- Restrict use of untrusted Wi-Fi networks on affected devices until firmware updates are deployed
- Operate enterprise Wi-Fi infrastructure with management frame protection (802.11w) enabled to reduce exposure to malformed frames
- Segment IoT and operational technology devices using vulnerable Qualcomm chipsets onto isolated wireless networks with strict ACLs
# Example: enumerate Qualcomm WLAN firmware version on Android via ADB
adb shell getprop | grep -i "wlan\|qcom\|firmware"
adb shell dmesg | grep -iE "wlan|cnss|ssr|rate.?table"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
