CVE-2026-25277: Qualcomm Firmware Buffer Overflow Flaw

CVE-2026-25277 Overview

CVE-2026-25277 is a buffer overflow vulnerability in Qualcomm's Strongbox component that leads to memory corruption. Strongbox is the hardware-backed keystore implementation on Qualcomm chipsets used to protect cryptographic keys and sensitive credentials. The flaw affects a wide range of Qualcomm firmware across Snapdragon mobile platforms, FastConnect Wi-Fi chips, modem subsystems, audio codecs, and XR platforms. A local authenticated attacker can trigger the overflow to corrupt memory and compromise confidentiality, integrity, and availability of the affected device. The weakness is tracked under CWE-120 (Buffer Copy without Checking Size of Input).

Critical Impact

Successful exploitation enables memory corruption inside a trusted hardware-backed keystore, potentially undermining the cryptographic root of trust on affected Snapdragon-based devices.

Affected Products

• Qualcomm Snapdragon 8 Elite, Snapdragon 8 Gen 2/Gen 3, Snapdragon 8+ Gen 2, Snapdragon 865/865+/870 5G mobile platforms
• Qualcomm FastConnect 6700/6800/6900/7800, QCA6391, QCA6698AU, QCA6797AQ connectivity firmware
• Qualcomm WCD93xx audio codecs, WSA88xx smart speaker amplifiers, WCN3xxx/WCN78xx Wi-Fi/BT, Snapdragon XR2 and AR1 platforms

Discovery Timeline

• 2026-06-01 - CVE-2026-25277 published to NVD
• 2026-06-02 - Last updated in NVD database
• June 2026 - Disclosed in the Qualcomm Security Bulletin June 2026

Technical Details for CVE-2026-25277

Vulnerability Analysis

The vulnerability resides in the Strongbox subsystem, which exposes a hardware-isolated keystore interface to the Android operating system for storing keys, performing cryptographic operations, and enforcing key-use constraints. A buffer overflow in Strongbox handling code allows an attacker to write past the bounds of an allocated buffer. Because Strongbox executes in a privileged execution context separate from the Rich Execution Environment, memory corruption here can affect the trust boundary between the operating system and secure hardware. Exploitation requires local access with low privileges and no user interaction, making malicious apps a plausible delivery channel. The scope changes when the attacker pivots from the calling process into the secure component, which broadens the impact beyond the original security authority.

Root Cause

The root cause is improper validation of input size before copying data into a fixed-size buffer within the Strongbox implementation, classified as CWE-120. Length-bound checks are missing or insufficient, so attacker-controlled data can exceed the destination buffer and overwrite adjacent memory.

Attack Vector

An attacker with local access invokes the Strongbox interface, typically through Android Keystore APIs that route requests into the Qualcomm hardware-backed keymaster. By submitting a crafted request with oversized or malformed parameters, the attacker triggers the unchecked copy operation. Successful exploitation can corrupt sensitive state inside the keystore process, leading to control-flow hijacking or tampering with protected key material.

No public proof-of-concept code is available for this vulnerability. Refer to the Qualcomm Security Bulletin June 2026 for vendor-supplied technical detail.

Detection Methods for CVE-2026-25277

Indicators of Compromise

• Unexpected crashes, kernel panics, or reboots originating from the Strongbox or keymaster trusted application on Snapdragon devices
• Anomalous failures of Android Keystore operations such as key generation, signing, or attestation returning hardware-backed errors
• Installation of untrusted applications immediately preceding cryptographic subsystem instability

Detection Strategies

• Monitor Android logcat and vendor-specific kernel logs for repeated faults referencing keymaster, strongbox, or QSEE/TEE components
• Inspect mobile device management (MDM) telemetry for firmware versions older than the June 2026 Qualcomm security patch level
• Review installed application inventories for apps requesting unusual Keystore operations or making high volumes of Strongbox-backed key calls

Monitoring Recommendations

• Enforce a minimum Android security patch level corresponding to the June 2026 Qualcomm bulletin through MDM compliance policies
• Forward mobile EDR and MDM telemetry into a central analytics platform to correlate firmware versions, crash signatures, and application installs
• Alert on devices that fail key attestation checks, which can indicate tampering with the hardware-backed keystore

How to Mitigate CVE-2026-25277

Immediate Actions Required

• Apply the June 2026 Qualcomm security patch as soon as it is shipped by the device OEM and carrier
• Identify all corporate-managed devices using Snapdragon platforms listed in the Qualcomm bulletin and prioritize them for update deployment
• Restrict installation of untrusted applications by enforcing managed app catalogs and Play Protect on Android fleets

Patch Information

Qualcomm has released patches covered in the Qualcomm Security Bulletin June 2026. OEM device manufacturers must integrate the updated firmware into their monthly Android security updates and distribute them to end devices. Verify that the device security patch level reflects the June 2026 bulletin once updates are installed.

Workarounds

• No vendor-supplied workaround exists; remediation requires installation of the firmware update
• Limit attack surface by removing or restricting sideloaded applications and enforcing least-privilege on app permissions until patches are applied
• Monitor for repeated Strongbox or keymaster failures and isolate affected devices from sensitive networks and accounts pending update

# Verify Android security patch level on a managed device via adb
adb shell getprop ro.build.version.security_patch
# Expected output should be 2026-06-01 or later once the Qualcomm June 2026 bulletin patches are applied