CVE-2025-47407 Overview
CVE-2025-47407 is a memory corruption vulnerability affecting a broad range of Qualcomm chipsets and firmware. The flaw occurs while creating a process on the digital signal processor (DSP) due to an allocation failure at the kernel level. The underlying weakness is classified as [CWE-367] Time-of-Check Time-of-Use (TOCTOU) race condition. Exploitation requires local access and low privileges, but successful attacks can compromise confidentiality, integrity, and availability of the affected device. Qualcomm disclosed the issue in its May 2026 security bulletin, which covers Snapdragon mobile, wearable, XR, compute, and FastConnect product families.
Critical Impact
A local attacker with low privileges can trigger memory corruption in the DSP process creation path, potentially leading to arbitrary code execution at the kernel level on affected Qualcomm devices.
Affected Products
- Qualcomm Snapdragon mobile platforms (including Snapdragon 8 Elite, Snapdragon 8 Elite Gen 5, Snapdragon 7 Gen 4, Snapdragon 6 Gen 1/3, Snapdragon 4 Gen 2, Snapdragon 460/662/680/685)
- Qualcomm FastConnect 6200, 6700, 6900, and 7800 connectivity firmware
- Qualcomm XR, wearable, and compute platforms (Snapdragon XR2 5G, XR2+ Gen 1, AR1+ Gen 1, W5+ Gen 1 Wearable, X1E80100), plus WCD/WCN/WSA audio and connectivity firmware variants
Discovery Timeline
- 2026-05-04 - CVE-2025-47407 published to NVD
- 2026-05-06 - Last updated in NVD database
- May 2026 - Qualcomm publishes security bulletin addressing the vulnerability
Technical Details for CVE-2025-47407
Vulnerability Analysis
The vulnerability resides in the kernel-mode code path that handles process creation on Qualcomm's digital signal processor (DSP). When the kernel attempts to allocate resources for a new DSP process and that allocation fails, the resulting error path does not safely unwind shared state. This produces a memory corruption condition tied to a TOCTOU race ([CWE-367]). An attacker running local code on the application processor can race the allocation logic to manipulate state between the validation check and its subsequent use.
The attack requires local access and low privileges, with no user interaction needed. Successful exploitation impacts confidentiality, integrity, and availability. Because the corruption occurs at the kernel level on a coprocessor closely integrated with system services, exploitation can lead to privilege escalation, sandbox escape from a userspace application, or denial of service of DSP-dependent functions such as audio, camera, modem offload, and AI workloads.
Root Cause
The root cause is a race condition in the DSP process creation handler. The kernel checks resource availability and validates state before completing the allocation, but the window between check and use allows concurrent operations to alter the underlying structures. When the allocation subsequently fails, cleanup logic operates on inconsistent metadata, producing memory corruption.
Attack Vector
A local, low-privileged process on the host operating system invokes DSP-related interfaces, such as those exposed by the FastRPC driver, to spawn or interact with DSP processes. The attacker repeatedly triggers process-creation requests under conditions designed to induce allocation failure while concurrently mutating shared state. Winning the race corrupts kernel memory, which the attacker can shape into a primitive for arbitrary kernel write or controlled use-after-free.
// No verified proof-of-concept code is publicly available for CVE-2025-47407.
// Refer to the Qualcomm Security Bulletin (May 2026) for vendor-supplied technical details.
Detection Methods for CVE-2025-47407
Indicators of Compromise
- Repeated kernel log entries referencing DSP process creation failures, FastRPC errors, or adsprpc allocation faults on affected Qualcomm devices.
- Unexpected device reboots, kernel panics, or DSP subsystem restarts (subsystem restart / SSR events) following userspace activity from non-system applications.
- Unprivileged applications opening /dev/adsprpc-smd, /dev/cdsprpc-smd, or related DSP device nodes at high frequency.
Detection Strategies
- Monitor mobile device management (MDM) and endpoint telemetry for applications issuing abnormal volumes of DSP/FastRPC ioctl calls.
- Correlate kernel crash dumps and bugreports for signatures referencing DSP process creation, kernel allocation failure, and TOCTOU-style race patterns.
- Track installed firmware and patch level against the May 2026 Qualcomm bulletin baseline to identify unpatched fleet devices.
Monitoring Recommendations
- Ingest Android logcat, kernel ring buffer, and OEM crash telemetry into a centralized data lake for query-based hunting on DSP-related faults.
- Alert on repeated SSR events for the aDSP, cDSP, or sDSP subsystems originating from the same userspace UID.
- Baseline normal DSP usage per application class to flag outliers indicative of race-condition exploitation attempts.
How to Mitigate CVE-2025-47407
Immediate Actions Required
- Apply the firmware updates referenced in the Qualcomm Security Bulletin May 2026 as soon as OEM builds are available.
- Inventory all devices and embedded systems containing the affected Snapdragon, FastConnect, WCN, WCD, WSA, and XR firmware listed in the advisory.
- Restrict installation of untrusted applications on affected mobile, wearable, XR, and compute devices until patches are deployed.
Patch Information
Qualcomm has published patches for CVE-2025-47407 in its May 2026 security bulletin. Device manufacturers (OEMs) must integrate the updated firmware and distribute it to end users through their normal update channels. Customers should consult OEM advisories to confirm that the applied build incorporates the May 2026 Qualcomm patch level.
Workarounds
- Limit local code execution surface by enforcing application allowlisting and reviewing apps with access to DSP/FastRPC interfaces.
- Apply MDM policies to disable sideloading and developer options on managed mobile and XR devices.
- Where feasible on embedded platforms, restrict access to DSP RPC device nodes through SELinux policy hardening until vendor patches land.
# Verify Android security patch level on a managed device
adb shell getprop ro.build.version.security_patch
# Confirm vendor patch level (where exposed by OEM)
adb shell getprop ro.vendor.build.security_patch
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
