CVE-2020-3686
9.8 CRITICAL
📋 TL;DR
CVE-2020-3686 is a buffer overflow vulnerability in Qualcomm Snapdragon chipsets that allows remote code execution during music playback. An attacker can exploit this by sending a specially crafted audio bitstream, potentially gaining control of affected devices. This affects numerous Qualcomm Snapdragon platforms across automotive, mobile, IoT, and networking devices.
💻 Affected Systems
Products:
- Snapdragon Auto
- Snapdragon Compute
- Snapdragon Connectivity
- Snapdragon Consumer IOT
- Snapdragon Industrial IOT
- Snapdragon IoT
- Snapdragon Mobile
- Snapdragon Voice & Music
- Snapdragon Wearables
- Snapdragon Wired Infrastructure and Networking
Versions: Specific chipset versions not publicly detailed; refer to Qualcomm December 2020 security bulletin for exact affected versions.
Operating Systems: Android, Linux-based systems using affected Snapdragon chipsets
Default Config Vulnerable:
⚠️ Yes
Notes: Vulnerability exists in the audio processing component of the chipset firmware/software stack.
📦 What is this software?
Apq8009 by Qualcomm
Apq8009w by Qualcomm
Apq8017 by Qualcomm
Apq8030 by Qualcomm
Apq8037 by Qualcomm
Apq8052 by Qualcomm
Apq8053 by Qualcomm
Apq8056 by Qualcomm
Apq8060a by Qualcomm
Apq8062 by Qualcomm
Apq8064 by Qualcomm
Apq8064au by Qualcomm
Apq8076 by Qualcomm
Apq8084 by Qualcomm
Apq8096au by Qualcomm
Aqt1000 by Qualcomm
Ar6003 by Qualcomm
Ar8031 by Qualcomm
Ar8035 by Qualcomm
Ar8151 by Qualcomm
Csra6620 by Qualcomm
Csra6640 by Qualcomm
Csrb31024 by Qualcomm
Mdm8215 by Qualcomm
Mdm8215m by Qualcomm
Mdm8615m by Qualcomm
Mdm8635m by Qualcomm
Mdm9215 by Qualcomm
Mdm9225 by Qualcomm
Mdm9225m by Qualcomm
Mdm9230 by Qualcomm
Mdm9235m by Qualcomm
Mdm9310 by Qualcomm
Mdm9330 by Qualcomm
Mdm9607 by Qualcomm
Mdm9615 by Qualcomm
Mdm9615m by Qualcomm
Mdm9625 by Qualcomm
Mdm9625m by Qualcomm
Mdm9628 by Qualcomm
Mdm9630 by Qualcomm
Mdm9635m by Qualcomm
Mdm9640 by Qualcomm
Mdm9645 by Qualcomm
Mdm9650 by Qualcomm
Mdm9655 by Qualcomm
Mpq8064 by Qualcomm
Msm8108 by Qualcomm
Msm8208 by Qualcomm
Msm8209 by Qualcomm
Msm8226 by Qualcomm
Msm8227 by Qualcomm
Msm8230 by Qualcomm
Msm8608 by Qualcomm
Msm8610 by Qualcomm
Msm8627 by Qualcomm
Msm8630 by Qualcomm
Msm8909w by Qualcomm
Msm8917 by Qualcomm
Msm8920 by Qualcomm
Msm8930 by Qualcomm
Msm8940 by Qualcomm
Msm8952 by Qualcomm
Msm8953 by Qualcomm
Msm8956 by Qualcomm
Msm8960 by Qualcomm
Msm8960sg by Qualcomm
Msm8962 by Qualcomm
Msm8976 by Qualcomm
Msm8976sg by Qualcomm
Msm8996au by Qualcomm
Pm215 by Qualcomm
Pm3003a by Qualcomm
Pm4125 by Qualcomm
Pm439 by Qualcomm
Pm456 by Qualcomm
Pm6125 by Qualcomm
Pm6150 by Qualcomm
Pm6150a by Qualcomm
Pm6150l by Qualcomm
Pm6250 by Qualcomm
Pm6350 by Qualcomm
Pm640a by Qualcomm
Pm640l by Qualcomm
Pm640p by Qualcomm
Pm660 by Qualcomm
Pm660a by Qualcomm
Pm660l by Qualcomm
Pm670 by Qualcomm
Pm670a by Qualcomm
Pm670l by Qualcomm
Pm7150a by Qualcomm
Pm7150l by Qualcomm
Pm7250 by Qualcomm
Pm7250b by Qualcomm
Pm7350c by Qualcomm
Pm8004 by Qualcomm
Pm8005 by Qualcomm
Pm8008 by Qualcomm
Pm8009 by Qualcomm
Pm8018 by Qualcomm
Pm8019 by Qualcomm
Pm8110 by Qualcomm
Pm8150 by Qualcomm
Pm8150a by Qualcomm
Pm8150b by Qualcomm
Pm8150c by Qualcomm
Pm8150l by Qualcomm
Pm8226 by Qualcomm
Pm8250 by Qualcomm
Pm8350 by Qualcomm
Pm8350b by Qualcomm
Pm8350bh by Qualcomm
Pm8350bhs by Qualcomm
Pm8350c by Qualcomm
Pm855 by Qualcomm
Pm855a by Qualcomm
Pm855b by Qualcomm
Pm855l by Qualcomm
Pm855p by Qualcomm
Pm8821 by Qualcomm
Pm8909 by Qualcomm
Pm8916 by Qualcomm
Pm8917 by Qualcomm
Pm8921 by Qualcomm
Pm8937 by Qualcomm
Pm8940 by Qualcomm
Pm8952 by Qualcomm
Pm8953 by Qualcomm
Pm8996 by Qualcomm
Pm8998 by Qualcomm
Pmc1000h by Qualcomm
Pmd9607 by Qualcomm
Pmd9635 by Qualcomm
Pmd9645 by Qualcomm
Pmd9655 by Qualcomm
Pme605 by Qualcomm
Pmi632 by Qualcomm
Pmi8937 by Qualcomm
Pmi8940 by Qualcomm
Pmi8952 by Qualcomm
Pmi8994 by Qualcomm
Pmi8996 by Qualcomm
Pmi8998 by Qualcomm
Pmk7350 by Qualcomm
Pmk8001 by Qualcomm
Pmk8002 by Qualcomm
Pmk8003 by Qualcomm
Pmk8350 by Qualcomm
Pmm6155au by Qualcomm
Pmm8155au by Qualcomm
Pmm8195au by Qualcomm
Pmm855au by Qualcomm
Pmm8996au by Qualcomm
Pmr525 by Qualcomm
Pmr735a by Qualcomm
Pmr735b by Qualcomm
Pmw3100 by Qualcomm
Pmx24 by Qualcomm
Pmx50 by Qualcomm
Pmx55 by Qualcomm
Qat3514 by Qualcomm
Qat3516 by Qualcomm
Qat3518 by Qualcomm
Qat3519 by Qualcomm
Qat3522 by Qualcomm
Qat3550 by Qualcomm
Qat3555 by Qualcomm
Qat5515 by Qualcomm
Qat5516 by Qualcomm
Qat5522 by Qualcomm
Qat5533 by Qualcomm
Qat5568 by Qualcomm
Qbt1500 by Qualcomm
Qbt2000 by Qualcomm
Qca1990 by Qualcomm
Qca4020 by Qualcomm
Qca6174 by Qualcomm
Qca6174a by Qualcomm
Qca6175a by Qualcomm
Qca6310 by Qualcomm
Qca6320 by Qualcomm
Qca6335 by Qualcomm
Qca6390 by Qualcomm
Qca6391 by Qualcomm
Qca6420 by Qualcomm
Qca6426 by Qualcomm
Qca6430 by Qualcomm
Qca6431 by Qualcomm
Qca6436 by Qualcomm
Qca6564 by Qualcomm
Qca6564a by Qualcomm
Qca6564au by Qualcomm
Qca6574 by Qualcomm
Qca6574a by Qualcomm
Qca6574au by Qualcomm
Qca6584au by Qualcomm
Qca6595 by Qualcomm
Qca6595au by Qualcomm
Qca6694 by Qualcomm
Qca6694au by Qualcomm
Qca6696 by Qualcomm
Qca9379 by Qualcomm
Qca9984 by Qualcomm
Qcc1110 by Qualcomm
Qcc112 by Qualcomm
Qcm2290 by Qualcomm
Qcm4290 by Qualcomm
Qcm6125 by Qualcomm
Qcs2290 by Qualcomm
Qcs405 by Qualcomm
Qcs410 by Qualcomm
Qcs4290 by Qualcomm
Qcs603 by Qualcomm
Qcs605 by Qualcomm
Qcs610 by Qualcomm
Qcs6125 by Qualcomm
Qdm2301 by Qualcomm
Qdm2302 by Qualcomm
Qdm2305 by Qualcomm
Qdm2307 by Qualcomm
Qdm2308 by Qualcomm
Qdm2310 by Qualcomm
Qdm3301 by Qualcomm
Qdm3302 by Qualcomm
Qdm4643 by Qualcomm
Qdm4650 by Qualcomm
Qdm5579 by Qualcomm
Qdm5620 by Qualcomm
Qdm5621 by Qualcomm
Qdm5650 by Qualcomm
Qdm5652 by Qualcomm
Qdm5670 by Qualcomm
Qdm5671 by Qualcomm
Qdm5677 by Qualcomm
Qdm5679 by Qualcomm
Qet4100 by Qualcomm
Qet4101 by Qualcomm
Qet4200aq by Qualcomm
Qet5100 by Qualcomm
Qet5100m by Qualcomm
Qet6100 by Qualcomm
Qet6110 by Qualcomm
Qfe1040 by Qualcomm
Qfe1045 by Qualcomm
Qfe1055 by Qualcomm
Qfe1100 by Qualcomm
Qfe2080fc by Qualcomm
Qfe2081fc by Qualcomm
Qfe2082fc by Qualcomm
Qfe2101 by Qualcomm
Qfe2330 by Qualcomm
Qfe2340 by Qualcomm
Qfe2520 by Qualcomm
Qfe2550 by Qualcomm
Qfe3100 by Qualcomm
Qfe3320 by Qualcomm
Qfe3335 by Qualcomm
Qfe3340 by Qualcomm
Qfe3345 by Qualcomm
Qfe3440fc by Qualcomm
Qfe4301 by Qualcomm
Qfe4302 by Qualcomm
Qfe4303 by Qualcomm
Qfe4305 by Qualcomm
Qfe4308 by Qualcomm
Qfe4309 by Qualcomm
Qfe4320 by Qualcomm
Qfe4373fc by Qualcomm
Qfe4455fc by Qualcomm
Qfe4465fc by Qualcomm
Qfs2530 by Qualcomm
Qfs2580 by Qualcomm
Qfs2608 by Qualcomm
Qfs2630 by Qualcomm
Qln1020 by Qualcomm
Qln1021aq by Qualcomm
Qln1030 by Qualcomm
Qln1031 by Qualcomm
Qln1035bd by Qualcomm
Qln1036aq by Qualcomm
Qln4640 by Qualcomm
Qln4642 by Qualcomm
Qln4650 by Qualcomm
Qln5020 by Qualcomm
Qln5030 by Qualcomm
Qln5040 by Qualcomm
Qpa2625 by Qualcomm
Qpa4340 by Qualcomm
Qpa4360 by Qualcomm
Qpa4361 by Qualcomm
Qpa5373 by Qualcomm
Qpa5460 by Qualcomm
Qpa5461 by Qualcomm
Qpa5580 by Qualcomm
Qpa5581 by Qualcomm
Qpa6560 by Qualcomm
Qpa8673 by Qualcomm
Qpa8675 by Qualcomm
Qpa8686 by Qualcomm
Qpa8801 by Qualcomm
Qpa8802 by Qualcomm
Qpa8803 by Qualcomm
Qpa8821 by Qualcomm
Qpa8842 by Qualcomm
Qpm2630 by Qualcomm
Qpm4621 by Qualcomm
Qpm4630 by Qualcomm
Qpm4640 by Qualcomm
Qpm4641 by Qualcomm
Qpm4650 by Qualcomm
Qpm5620 by Qualcomm
Qpm5621 by Qualcomm
Qpm5641 by Qualcomm
Qpm5657 by Qualcomm
Qpm5658 by Qualcomm
Qpm5670 by Qualcomm
Qpm5677 by Qualcomm
Qpm5679 by Qualcomm
Qpm5870 by Qualcomm
Qpm5875 by Qualcomm
Qpm6582 by Qualcomm
Qpm6585 by Qualcomm
Qpm6621 by Qualcomm
Qpm6670 by Qualcomm
Qpm8820 by Qualcomm
Qpm8830 by Qualcomm
Qpm8870 by Qualcomm
Qpm8895 by Qualcomm
Qsm7250 by Qualcomm
Qsm8250 by Qualcomm
Qsw6310 by Qualcomm
Qsw8573 by Qualcomm
Qsw8574 by Qualcomm
Qtc410s by Qualcomm
Qtc800h by Qualcomm
Qtc800s by Qualcomm
Qtc800t by Qualcomm
Qtc801s by Qualcomm
Qtm525 by Qualcomm
Qualcomm215 by Qualcomm
Rgr7640au by Qualcomm
Rsw8577 by Qualcomm
Sa415m by Qualcomm
Sa6145p by Qualcomm
Sa6150p by Qualcomm
Sa6155 by Qualcomm
Sa6155p by Qualcomm
Sa8150p by Qualcomm
Sa8155 by Qualcomm
Sa8155p by Qualcomm
Sa8195p by Qualcomm
Sd205 by Qualcomm
Sd210 by Qualcomm
Sd429 by Qualcomm
Sd439 by Qualcomm
Sd450 by Qualcomm
Sd455 by Qualcomm
Sd460 by Qualcomm
Sd632 by Qualcomm
Sd636 by Qualcomm
Sd660 by Qualcomm
Sd662 by Qualcomm
Sd665 by Qualcomm
Sd670 by Qualcomm
Sd675 by Qualcomm
Sd690 5g by Qualcomm
Sd710 by Qualcomm
Sd712 by Qualcomm
Sd720g by Qualcomm
Sd730 by Qualcomm
Sd750g by Qualcomm
Sd765 by Qualcomm
Sd765g by Qualcomm
Sd768g by Qualcomm
Sd820 by Qualcomm
Sd821 by Qualcomm
Sd835 by Qualcomm
Sd845 by Qualcomm
Sd850 by Qualcomm
Sd855 by Qualcomm
Sd865 5g by Qualcomm
Sd888 5g by Qualcomm
Sd8c by Qualcomm
Sd8cx by Qualcomm
Sda429w by Qualcomm
Sdm429w by Qualcomm
Sdm630 by Qualcomm
Sdm830 by Qualcomm
Sdr051 by Qualcomm
Sdr052 by Qualcomm
Sdr425 by Qualcomm
Sdr660 by Qualcomm
Sdr660g by Qualcomm
Sdr675 by Qualcomm
Sdr735 by Qualcomm
Sdr735g by Qualcomm
Sdr8150 by Qualcomm
Sdr8250 by Qualcomm
Sdr845 by Qualcomm
Sdr865 by Qualcomm
Sdw3100 by Qualcomm
Sdx50m by Qualcomm
Sdx55 by Qualcomm
Sdx55m by Qualcomm
Sdxr1 by Qualcomm
Sdxr2 5g by Qualcomm
Sm4125 by Qualcomm
Sm6250 by Qualcomm
Sm6250p by Qualcomm
Sm7250p by Qualcomm
Sm7350 by Qualcomm
Smb1350 by Qualcomm
Smb1351 by Qualcomm
Smb1354 by Qualcomm
Smb1355 by Qualcomm
Smb1357 by Qualcomm
Smb1358 by Qualcomm
Smb1360 by Qualcomm
Smb1380 by Qualcomm
Smb1381 by Qualcomm
Smb1390 by Qualcomm
Smb1394 by Qualcomm
Smb1395 by Qualcomm
Smb1396 by Qualcomm
Smb1398 by Qualcomm
Smb231 by Qualcomm
Smb2351 by Qualcomm
Smr525 by Qualcomm
Smr526 by Qualcomm
Smr545 by Qualcomm
Smr546 by Qualcomm
Wcd9306 by Qualcomm
Wcd9310 by Qualcomm
Wcd9320 by Qualcomm
Wcd9326 by Qualcomm
Wcd9330 by Qualcomm
Wcd9335 by Qualcomm
Wcd9340 by Qualcomm
Wcd9341 by Qualcomm
Wcd9360 by Qualcomm
Wcd9370 by Qualcomm
Wcd9371 by Qualcomm
Wcd9375 by Qualcomm
Wcd9380 by Qualcomm
Wcd9385 by Qualcomm
Wcn3610 by Qualcomm
Wcn3615 by Qualcomm
Wcn3620 by Qualcomm
Wcn3660 by Qualcomm
Wcn3660a by Qualcomm
Wcn3660b by Qualcomm
Wcn3680 by Qualcomm
Wcn3680b by Qualcomm
Wcn3910 by Qualcomm
Wcn3950 by Qualcomm
Wcn3980 by Qualcomm
Wcn3988 by Qualcomm
Wcn3990 by Qualcomm
Wcn3991 by Qualcomm
Wcn3998 by Qualcomm
Wcn3999 by Qualcomm
Wcn6740 by Qualcomm
Wcn6750 by Qualcomm
Wcn6850 by Qualcomm
Wcn6851 by Qualcomm
Wcn6856 by Qualcomm
Wfr1620 by Qualcomm
Wfr2600 by Qualcomm
Wgr7640 by Qualcomm
Whs9410 by Qualcomm
Wsa8810 by Qualcomm
Wsa8815 by Qualcomm
Wsa8830 by Qualcomm
Wsa8835 by Qualcomm
Wtr1605 by Qualcomm
Wtr1605l by Qualcomm
Wtr1625 by Qualcomm
Wtr1625l by Qualcomm
Wtr2100 by Qualcomm
Wtr2605 by Qualcomm
Wtr2655 by Qualcomm
Wtr2955 by Qualcomm
Wtr2965 by Qualcomm
Wtr3905 by Qualcomm
Wtr3925 by Qualcomm
Wtr3950 by Qualcomm
Wtr4605 by Qualcomm
Wtr4905 by Qualcomm
Wtr5975 by Qualcomm
Wtr6955 by Qualcomm
⚠️ Risk & Real-World Impact
Worst Case
Remote attacker gains full control of device, executes arbitrary code with kernel privileges, and potentially installs persistent malware or exfiltrates sensitive data.
Likely Case
Remote code execution leading to device compromise, data theft, or denial of service through device crashes.
If Mitigated
If patched, no impact. With network segmentation and strict input validation, exploitation risk is significantly reduced.
🌐 Internet-Facing: HIGH - Exploitable via network-delivered malicious audio content without authentication.
🏢 Internal Only: HIGH - Can be exploited through internal network services or user-initiated audio playback.
🎯 Exploit Status
Public PoC:
✅ No
Weaponized:
UNKNOWN
Unauthenticated Exploit:
⚠️ Yes
Complexity:
MEDIUM
Exploitation requires crafting a malicious audio bitstream, but no public exploit code is known. The high CVSS score suggests significant attack potential.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Refer to Qualcomm December 2020 security bulletin for specific patched versions per product.
Vendor Advisory: https://www.qualcomm.com/company/product-security/bulletins/december-2020-bulletin
Restart Required: Yes
Instructions:
1. Check device manufacturer for firmware updates. 2. Apply Qualcomm-provided patches through OEM updates. 3. Reboot device after update. 4. Verify patch installation via version checks.
🔧 Temporary Workarounds
Disable vulnerable audio services
allTemporarily disable or restrict audio playback services that process untrusted content.
# Platform-specific; consult device documentation for service management commands
Network segmentation
allIsolate affected devices from untrusted networks to prevent remote exploitation.
# Configure firewall rules to restrict inbound/outbound audio-related traffic
🧯 If You Can't Patch
- Segment affected devices on isolated network segments with strict access controls.
- Implement application allowlisting to prevent execution of unauthorized code.
🔍 How to Verify
Check if Vulnerable:
Check device firmware version against Qualcomm's December 2020 security bulletin or contact device manufacturer.Check Version:
# Platform-specific; e.g., on Android: 'getprop ro.build.fingerprint' or check Settings > About PhoneVerify Fix Applied:
Confirm firmware version is updated to a version listed as patched in Qualcomm advisory.📡 Detection & Monitoring
Log Indicators:
- Unexpected process crashes in audio services
- Memory corruption errors in system logs
- Unusual audio file processing attempts
Network Indicators:
- Anomalous network traffic to/from audio streaming services
- Unexpected audio file downloads
SIEM Query:
Example: 'process:audio* AND (event:crash OR event:memory_violation)'