CVE-2026-21385: Qualcomm Sm7675p Buffer Overflow Flaw

CVE-2026-21385 Overview

CVE-2026-21385 is a memory corruption vulnerability affecting a broad range of Qualcomm chipsets and firmware. The flaw occurs when alignments are used for memory allocation, leading to an integer overflow condition [CWE-190]. A local attacker with low privileges can trigger the condition to corrupt memory and compromise device confidentiality, integrity, and availability. The vulnerability is listed in the CISA Known Exploited Vulnerabilities Catalog, indicating active exploitation in the wild. Qualcomm addressed the issue in its March 2026 security bulletin, and Android distributed corresponding patches in the March 2026 Android Security Bulletin.

Critical Impact

Local attackers can trigger memory corruption on Snapdragon-powered mobile, automotive, IoT, and compute devices, achieving high-impact compromise of confidentiality, integrity, and availability.

Affected Products

• Qualcomm Snapdragon mobile platforms (Snapdragon 8 Elite, 8 Gen 1/2/3, 7+ Gen 2, 6 Gen 1/3/4, 4 Gen 1/2, 8+ Gen 1/2, and legacy 865/870/888 series)
• Qualcomm automotive and compute platforms (Snapdragon 820 Automotive, SA8155P, SA8295P, SA8770P, SC8380XP, Snapdragon 7c+ Gen 3)
• Qualcomm connectivity, IoT, audio, and XR firmware (FastConnect 6200–7800, QCA Wi-Fi/Ethernet chips, WCD/WSA audio codecs, Snapdragon XR2/AR1, Robotics RB2/RB5, Vision Intelligence 100/200/400)

Discovery Timeline

• 2026-03-02 - CVE-2026-21385 published to NVD
• 2026-03-04 - Last updated in NVD database
• March 2026 - Qualcomm releases security patch via the Qualcomm March 2026 Bulletin
• March 2026 - Android distributes patches via the Android Security Bulletin March 2026
• Confirmed Exploited - Added to the CISA Known Exploited Vulnerabilities Catalog

Technical Details for CVE-2026-21385

Vulnerability Analysis

The defect resides in code paths that compute aligned sizes during memory allocation across Qualcomm firmware components. When alignment math is applied to attacker-influenced sizes, the calculation can wrap around the maximum integer value. The allocator then returns a buffer smaller than the caller expects. Subsequent writes overflow the under-sized allocation and corrupt adjacent heap structures. Because the affected firmware runs at a privileged layer beneath the operating system, successful exploitation can lead to kernel- or firmware-level compromise from a low-privileged local context.

Root Cause

The root cause is an integer overflow in the alignment calculation used prior to memory allocation, classified as [CWE-190] Integer Overflow or Wraparound. Aligning a size value (for example, rounding up to a page or cache-line boundary) without first validating the input allows the rounded value to wrap to a small or zero number. The allocator interprets this wrapped value as a legitimate request, producing a buffer that does not match the original size expectation held by the calling code.

Attack Vector

The attack vector is local. An attacker needs the ability to execute code on the device, such as through a malicious application or a compromised lower-privilege process, to reach the vulnerable allocation path. No user interaction is required. The attacker submits crafted size or count parameters to a firmware interface that performs alignment arithmetic. The resulting out-of-bounds write enables memory corruption that can be shaped into privilege escalation or persistent device compromise.

Verified exploitation code for CVE-2026-21385 has not been publicly released. Refer to the Qualcomm March 2026 Bulletin for component-specific technical details.

Detection Methods for CVE-2026-21385

Indicators of Compromise

• Unexpected kernel panics, firmware resets, or SubSystem Restart (SSR) events on Snapdragon devices following untrusted app installation.
• Crash dumps referencing Qualcomm kernel drivers or DSP/modem subsystems with heap corruption signatures.
• Installation of unsigned or sideloaded applications shortly before device instability is observed.

Detection Strategies

• Inventory devices against the affected chipset list and flag any running firmware predating the March 2026 Qualcomm bulletin.
• Monitor mobile device management (MDM) telemetry for security patch level values older than 2026-03-01.
• Correlate Android tombstone and dropbox crash reports for repeated faults inside Qualcomm-supplied modules.

Monitoring Recommendations

• Forward MDM compliance events and Android crash telemetry into a centralized SIEM for longitudinal analysis.
• Alert on devices that fail to apply the March 2026 patch level within the organization's defined remediation window.
• Track app installation events from unknown sources on devices that have not yet received vendor patches.

How to Mitigate CVE-2026-21385

Immediate Actions Required

• Apply the March 2026 OEM firmware updates that incorporate Qualcomm's patches to all affected Snapdragon, QCA, WCD, WSA, and automotive/IoT platforms.
• Enforce a minimum Android security patch level of 2026-03-01 via MDM compliance policy.
• Restrict installation of applications from untrusted sources on devices awaiting patches.

Patch Information

Qualcomm published fixes in the Qualcomm March 2026 Bulletin. Corresponding Android-side updates are tracked in the Android Security Bulletin March 2026. Device OEMs must integrate the Qualcomm patches into firmware images and deliver them through over-the-air (OTA) updates. Verify the patched build is installed before considering remediation complete.

Workarounds

• Block sideloading and enforce Google Play Protect on managed Android devices until patches are deployed.
• Limit physical and logical access to automotive head units, IoT gateways, and wearables running unpatched Qualcomm firmware.
• Decommission or isolate end-of-life Qualcomm platforms that will not receive vendor updates.

# Verify Android security patch level on a managed device
adb shell getprop ro.build.version.security_patch
# Expected output for remediated devices: 2026-03-01 or later