Qualcomm warned partners and device manufacturers about multiple newly discovered vulnerabilities that span its chipset ecosystem. The Qualcomm released a detailed security bulletin on December 1, 2025, outlining six high-priority weaknesses in its proprietary software, including one flaw that directly compromises the secure boot process, one of the most sensitive stages in a device’s startup chain.
The bulletin states that the document aims to help customers integrate required fixes into both existing and upcoming devices. Qualcomm advised device makers to contact the security bulletins for questions, while also acknowledging external researchers who assisted in identifying several of the issues.
Contributors included Niek Timmers and Cristofaro Mune of Raelize, conghuiwang, Haonan Li, Zinuo Han of OPPO Amber Security Lab, and a researcher identified as ylva.
A Secure Boot Vulnerability: CVE-2025-47372
The most severe issue detailed in the security alert is CVE-2025-47372, a flaw that threatens the integrity of the secure boot process. Qualcomm rated the vulnerability as Critical on both its internal scale and the Common Vulnerability Scoring System (CVSS).
The company’s analysis revealed that the flaw involves a buffer copy operation during boot that fails to validate the size of an incoming ELF image properly. If the image is corrupted or intentionally oversized, the bootloader may write out of bounds, creating memory corruption at an early and highly trusted stage in the startup sequence.
Classified under CWE-120 (Classic Buffer Overflow) and carrying a CVSS score of 9.0, the vulnerability could allow attackers to bypass essential verification routines, install persistent malicious firmware, or seize control of a device before the primary operating system loads. Qualcomm noted that the defect was identified internally, but the company did not clarify how long it may have existed in production hardware prior to detection. A broad range of Snapdragon, QAM, and QCA boot-capable platforms are affected.
Additional High-Impact Vulnerabilities
Beyond CVE-2025-47372, Qualcomm’s security bulletin lists five additional high-priority threats and several moderate-severity issues.
- CVE-2025-47319, also internally discovered, impacts the High-Level Operating System (HLOS). Though Qualcomm assigned it a Critical internal rating, its standardized CVSS score is Medium (6.7). The flaw stems from the unintended exposure of Trusted Application–to–Trusted Application (TA-to-TA) communication interfaces to the HLOS layer, matching CWE-497. Affected platforms include FastConnect modules, Snapdragon 4/6/8 Gen chipsets, QAM/QCA families, automotive systems, AR devices, and various compute modules.
- CVE-2025-47323, a High-severity vulnerability with a 7.8 CVSS score, involves integer overflow during audio packet routing. Incorrect handling of GPR packets can trigger wraparound conditions, leading to memory corruption. This flaw spans a wide set of platforms, including AR/VR devices, FastConnect modules, Snapdragon compute processors, and numerous modem-RF systems.
- CVE-2025-47325, reported on September 3, 2025, is a TrustZone firmware vulnerability involving untrusted pointer dereferencing. With a CVSS score of 6.5, the issue could permit unauthorized access to protected memory regions. The bulletin indicates that many IPQ, QCA, QCN, and SDX networking chipsets are affected.
- CVE-2025-47350, another High-severity issue, affects DSP Services. The vulnerability arises from improper handling of concurrent memory mapping and unmapping operations, classified as CWE-416 (Use-After-Free). While potentially severe, Qualcomm noted that no currently active products are impacted, suggesting the flaw exists only in development lines or inactive code.
- CVE-2025-47387, a High-severity camera subsystem vulnerability (CVSS 7.8), involves untrusted pointer dereferencing during JPEG IOCTL handling, presenting risks of memory corruption. Impacted hardware includes multiple compute platforms, FastConnect chipsets, Snapdragon 7c/8c/8cx processors, and several mobile SoCs.
Core Services and Open-Source Vulnerabilities
A moderate-severity issue, CVE-2025-47321, affects Core Services. This classic buffer overflow (CWE-120) can occur when copying packets from Unix clients without enforcing proper bounds checks, posing risks of privilege escalation or remote code execution. The flaw impacts a wide range of Qualcomm connectivity, audio, mobile, AR, wearable, and compute chipsets.
The security bulletin also details multiple open-source software vulnerabilities coordinated through CodeLinaro. These include:
- CVE-2025-27063: A Use-After-Free issue in video playback.
- CVE-2025-47320: An out-of-bounds audio write was also patched via CodeLinaro.
- CVE-2025-47322: An automotive-focused Use-After-Free vulnerability in Linux OS, rated Medium with a High CVSS score of 7.8. Reported on February 7, 2025, and disclosed to customers on June 2, 2025, it affects dozens of chip families across the automotive, compute, mobile, and IoT markets.
Guidance to OEMs and Ecosystem Partners
Qualcomm’s latest security bulletin confirms that patches for high-impact vulnerabilities, including the critical boot issue CVE-2025-47372, are already being shared with manufacturers, who are urged to deploy them on released devices as soon as possible. The company also advised users to check patch availability with their device OEMs, noting that the list of affected chipsets may not be complete.
The wide range of vulnerabilities, spanning secure boot, TrustZone firmware, DSP services, and camera components, shows how deeply these flaws extend across Qualcomm’s ecosystem. As Qualcomm continues issuing security alerts, fast and accurate vulnerability remediation remains essential for organizations operating devices built on these platforms.
Platforms such as Cyble’s vulnerability management can support this effort by providing real-time intelligence, asset-level visibility, and clear prioritization of high-risk weaknesses. These capabilities help teams identify critical exposures earlier and respond more effectively.
To improve your organization’s readiness against chipset-level threats and fast-moving vulnerabilities, request a personalized demo with Cyble today.
