CVE-2026-21373 Overview
CVE-2026-21373 is a memory corruption vulnerability affecting a wide range of Qualcomm firmware components, including Snapdragon compute platforms, FastConnect connectivity solutions, audio codecs, and wireless chipsets. The flaw occurs during Input/Output Control (IOCTL) processing when an output buffer is accessed without validating its size, mapping to [CWE-126] Buffer Over-read. A local attacker with low privileges can trigger the condition to corrupt memory and compromise confidentiality, integrity, and availability of the affected device. Qualcomm published the issue in its April 2026 Security Bulletin.
Critical Impact
Local attackers with low-privileged access can exploit improper buffer size validation in IOCTL handlers to corrupt memory on Qualcomm-based devices, potentially leading to kernel-level code execution or device compromise.
Affected Products
- Qualcomm Snapdragon compute platforms (7c, 7c Gen 2, 7c+ Gen 3, 8c, 8cx, 8cx Gen 2 5G, 8cx Gen 3)
- Qualcomm FastConnect 6200, 6700, 6800, 6900, and 7800 connectivity systems
- Qualcomm WCD, WCN, WSA audio codec/wireless chipsets and Snapdragon 460/662 mobile and AR1 Gen 1 platforms
Discovery Timeline
- 2026-04-06 - CVE-2026-21373 published to NVD
- 2026-04-08 - Last updated in NVD database
- April 2026 - Disclosed in the Qualcomm April 2026 Security Bulletin
Technical Details for CVE-2026-21373
Vulnerability Analysis
The vulnerability resides in IOCTL handling logic within affected Qualcomm firmware drivers. When user-mode callers issue IOCTL requests, the driver writes data to an output buffer supplied by the caller without verifying that the buffer is large enough to hold the response. This out-of-bounds access corrupts adjacent kernel memory structures. Because IOCTL interfaces typically execute in privileged kernel context, successful exploitation can escalate privileges, leak sensitive data from kernel memory, or destabilize the device. The flaw is classified under [CWE-126] (Buffer Over-read), reflecting the missing size check on the destination buffer.
Root Cause
The root cause is missing input validation on the size of the output buffer parameter passed through the IOCTL boundary. The driver trusts caller-supplied length metadata or fails to compare it against the actual response size before performing the write. This omission violates secure kernel programming practices, where every user-supplied pointer and length must be validated before being dereferenced or written to.
Attack Vector
Exploitation requires local access with low privileges on the affected device. An attacker running a malicious application or compromised user-mode process can craft an IOCTL call with a deliberately undersized or malformed output buffer descriptor. When the vulnerable driver processes the request, the unchecked write triggers memory corruption in kernel space. No user interaction is required, and the attack does not cross trust boundaries beyond the local device.
No public proof-of-concept exploit has been published for CVE-2026-21373. Refer to the Qualcomm April 2026 Security Bulletin for vendor-confirmed technical details.
Detection Methods for CVE-2026-21373
Indicators of Compromise
- Unexpected kernel panics, system crashes, or reboots on Qualcomm-based devices following execution of untrusted applications.
- Anomalous IOCTL call patterns from non-system processes targeting Qualcomm driver interfaces.
- Unsigned or unknown applications loading kernel driver handles tied to affected Snapdragon, FastConnect, or WCD/WSA components.
Detection Strategies
- Monitor endpoint telemetry for processes issuing high volumes of IOCTL calls to Qualcomm driver device nodes.
- Inspect crash dumps for faulting addresses inside Qualcomm kernel modules to identify possible exploitation attempts.
- Correlate privilege escalation attempts with abnormal driver interaction events on mobile and ARM-based Windows endpoints.
Monitoring Recommendations
- Enable firmware version inventory reporting to identify devices running pre-April 2026 Qualcomm firmware.
- Track installation of unsigned applications on managed mobile and ARM compute devices.
- Review device manufacturer security patch level (SPL) against the April 2026 Qualcomm bulletin baseline.
How to Mitigate CVE-2026-21373
Immediate Actions Required
- Apply the firmware updates referenced in the Qualcomm April 2026 Security Bulletin as soon as they are distributed by your OEM or device vendor.
- Inventory all devices using affected Snapdragon, FastConnect, WCD, WCN, and WSA components to prioritize patching.
- Restrict installation of untrusted applications on managed devices until firmware updates are deployed.
Patch Information
Qualcomm has released fixes for the affected firmware components as documented in the Qualcomm April 2026 Security Bulletin. Patches are delivered through OEM device manufacturers as part of their monthly security patch levels. Organizations should validate that managed devices report a security patch level dated April 2026 or later.
Workarounds
- Enforce mobile application allowlisting through MDM policies to limit which processes can interact with kernel drivers.
- Disable or restrict access to non-essential Qualcomm driver interfaces where supported by the OEM platform.
- Apply principle of least privilege on user accounts and remove local admin rights on ARM-based Windows endpoints.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
