CVE-2025-47403 Overview
CVE-2025-47403 is a transient denial-of-service vulnerability affecting a wide range of Qualcomm Snapdragon, FastConnect, WCN, QCA, and IPQ wireless components. The flaw resides in the WLAN firmware processing of IEEE 802.11r Fast Transition (FT) response frames during wireless roaming. When the affected firmware parses a malformed FT response frame containing an invalid header structure, an out-of-bounds read condition occurs. This results in a transient DoS that disrupts wireless connectivity. The vulnerability is tracked under [CWE-126] (Buffer Over-read) and [CWE-125] (Out-of-bounds Read).
Critical Impact
A network-adjacent attacker can transmit a crafted Fast Transition response frame to a roaming client and trigger a transient denial-of-service on Qualcomm WLAN-enabled devices, disrupting wireless connectivity across mobile, automotive, IoT, and networking platforms.
Affected Products
- Qualcomm Snapdragon mobile platforms (8 Elite, 8 Gen 1/2/3, 8+ Gen 1/2, 7 series, 6 series, 4 Gen 2)
- Qualcomm FastConnect 6200, 6700, 6900, and 7800 connectivity subsystems
- Qualcomm IPQ, QCN, QCA networking and Wi-Fi chipsets, plus automotive (SA8255P, SA8770P) and XR (SXR2230P/2350P) platforms
Discovery Timeline
- 2026-05-04 - CVE-2025-47403 published to NVD
- 2026-05-06 - Last updated in NVD database
- May 2026 - Disclosed in the Qualcomm May 2026 Security Bulletin
Technical Details for CVE-2025-47403
Vulnerability Analysis
The vulnerability resides in the WLAN firmware path that handles IEEE 802.11r Fast BSS Transition (FT) response frames. Fast Transition allows a station to roam between access points within the same mobility domain without performing a full reauthentication. The protocol exchange relies on tightly structured management frames containing Mobility Domain, FT, and RSN information elements.
When the affected Qualcomm firmware receives an FT response frame with a malformed or invalid header structure, the parser fails to validate the declared element lengths against the actual frame boundary. This drives an out-of-bounds read past the end of the receive buffer. The firmware enters an inconsistent state and the WLAN subsystem experiences a transient denial of service, dropping the active connection until recovery.
Root Cause
The root cause is missing or insufficient bounds validation on length fields within the FT response frame header before the firmware parser dereferences subsequent buffer offsets. The condition aligns with CWE-126 (buffer over-read past intended boundary) and CWE-125 (generic out-of-bounds read). No memory corruption or code execution is reported; impact is limited to availability.
Attack Vector
Exploitation requires an attacker within wireless range of a vulnerable client during a roaming event. The attacker injects or spoofs an 802.11r FT response frame with a crafted, malformed header. No authentication, prior credentials, or user interaction are required because FT frames are processed during the roaming handshake before higher-layer security context is fully established. The attack is limited to denial of service; confidentiality and integrity are not impacted.
No public proof-of-concept code, ExploitDB entry, or in-the-wild exploitation has been reported for CVE-2025-47403.
Detection Methods for CVE-2025-47403
Indicators of Compromise
- Repeated, unexpected WLAN disconnects or roaming failures on devices using Qualcomm Snapdragon, FastConnect, WCN, or QCA chipsets, especially in environments with 802.11r enabled.
- Firmware crash logs, modem subsystem restarts (SSR), or WLAN driver resets correlated with reception of FT Action or FT Reassociation Response frames.
- Wireless captures showing 802.11r FT response frames with anomalous information element lengths or truncated headers near client roaming events.
Detection Strategies
- Monitor wireless intrusion detection system (WIDS) telemetry for malformed 802.11 management frames, with focus on FT Action category 6 frames.
- Correlate endpoint connectivity loss events with controller-side roaming logs to identify patterns consistent with frame-injection-induced DoS.
- Track host-level mobile device management (MDM) signals reporting Wi-Fi subsystem restarts on patch-eligible Qualcomm hardware.
Monitoring Recommendations
- Forward WLAN controller, AP, and endpoint logs into a centralized analytics platform to detect clustered roaming failures across multiple clients on the same channel.
- Capture periodic 802.11 PCAPs in high-value coverage areas (executive floors, SCIFs, OT networks) to retrospectively identify malformed FT frames.
- Alert on bursts of deauthentication, disassociation, or association timeouts that coincide with anomalous management frames.
How to Mitigate CVE-2025-47403
Immediate Actions Required
- Inventory devices that contain affected Qualcomm chipsets, including mobile handsets, laptops, automotive head units, XR headsets, IoT gateways, and Wi-Fi infrastructure.
- Apply OEM firmware updates that incorporate the Qualcomm May 2026 security patch as soon as vendors publish them downstream.
- Prioritize patching for assets that roam frequently between access points, such as warehouse scanners, medical carts, and corporate mobile fleets.
Patch Information
Qualcomm addressed CVE-2025-47403 in its May 2026 security bulletin. OEM and ODM partners must integrate the corrected WLAN firmware into device-level updates before end users can deploy the fix. Refer to the Qualcomm May 2026 Security Bulletin for the authoritative list of affected components and patched firmware versions, and to your device OEM for delivery timelines.
Workarounds
- Where operationally feasible, disable 802.11r Fast Transition on enterprise SSIDs serving unpatched clients to remove the vulnerable code path from the roaming exchange.
- Enable Management Frame Protection (802.11w PMF) on all SSIDs to raise the bar for spoofed management frame injection.
- Restrict access to sensitive wireless networks using certificate-based 802.1X and segment unpatched Qualcomm-based devices onto isolated VLANs until firmware updates are available.
# Example: disable 802.11r Fast Transition on a Cisco WLC SSID until clients are patched
config wlan disable <wlan-id>
config wlan security ft disable <wlan-id>
config wlan security ft over-the-ds disable <wlan-id>
config wlan security pmf required <wlan-id>
config wlan enable <wlan-id>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
