CVE-2025-47388

Q: What is the severity of CVE-2025-47388?

CVE-2025-47388 has a CVSS score of 7.8 (HIGH). This CVE describes a memory corruption vulnerability in Qualcomm DSP (Digital Signal Processor) drivers where passing memory pages with unaligned starting addresses can cause buffer overflow conditions. This affects devices using Qualcomm chipsets with vulnerable DSP firmware/drivers. Attackers could potentially execute arbitrary code with kernel privileges.

7.8 HIGH

Buffer Overflow

📋 TL;DR

This CVE describes a memory corruption vulnerability in Qualcomm DSP (Digital Signal Processor) drivers where passing memory pages with unaligned starting addresses can cause buffer overflow conditions. This affects devices using Qualcomm chipsets with vulnerable DSP firmware/drivers. Attackers could potentially execute arbitrary code with kernel privileges.

💻 Affected Systems

Products:

Qualcomm Snapdragon mobile platforms
Qualcomm automotive platforms
Qualcomm IoT platforms

Versions: Specific versions not publicly detailed in initial advisory

Operating Systems: Android, Linux-based systems using Qualcomm chips

Default Config Vulnerable: ⚠️ Yes

Notes: Affects systems with Qualcomm DSP functionality enabled. Exact chipset models and firmware versions require checking Qualcomm's security bulletin.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full device compromise allowing kernel-level arbitrary code execution, potentially leading to persistent backdoor installation, data theft, or device bricking.

🟠

Likely Case

Local privilege escalation from user to kernel space, allowing attackers to bypass security controls and gain elevated system access.

🟢

If Mitigated

Limited impact with proper memory protection mechanisms and SELinux/app sandboxing in place, potentially causing only denial of service.

🌐 Internet-Facing: LOW

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires local access to trigger the memory corruption. Exploitation likely requires bypassing additional security mitigations like ASLR and stack canaries.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Refer to Qualcomm January 2026 security bulletin for specific patch versions

Vendor Advisory: https://docs.qualcomm.com/product/publicresources/securitybulletin/january-2026-bulletin.html

Restart Required: Yes

Instructions:

1. Check Qualcomm security bulletin for your specific chipset/platform. 2. Obtain updated firmware/driver from device manufacturer. 3. Apply update following manufacturer instructions. 4. Reboot device to activate fixes.

🔧 Temporary Workarounds

Disable DSP functionality

linux

Disable Digital Signal Processor features if not required for device operation

# Platform-specific - consult device manufacturer documentation

Memory protection hardening

linux

Enable strict memory protection mechanisms and SELinux policies

setenforce 1
# Configure strict SELinux policies for DSP services

🧯 If You Can't Patch

Implement strict access controls to limit local user privileges
Monitor for unusual DSP service activity and memory corruption patterns

🔍 How to Verify

Check if Vulnerable:

Check device chipset model and firmware version against Qualcomm's affected products list in the security bulletin

Check Version:

cat /proc/cpuinfo | grep -i qualcomm && dmesg | grep -i dsp

Verify Fix Applied:

Verify firmware/driver version has been updated to patched version specified in Qualcomm advisory

📡 Detection & Monitoring

Log Indicators:

Kernel panic logs
DSP service crashes
Memory corruption warnings in dmesg/kernel logs

Network Indicators:

None - local vulnerability only

SIEM Query:

source="kernel" AND ("DSP" OR "memory corruption" OR "unaligned address")

📊 Metadata

CVE ID: CVE-2025-47388

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-120

EPSS Score: 0.02% exploit probability (2.5th percentile)

Published: January 7, 2026

Last Updated: January 27, 2026

🔗 References

https://docs.qualcomm.com/product/publicresources/securitybulletin/january-2026-bulletin.html Patch,Vendor Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Fastconnect 6200 Firmware by Qualcomm

Fastconnect 6700 Firmware by Qualcomm

Fastconnect 6900 Firmware by Qualcomm

Fastconnect 7800 Firmware by Qualcomm

Qcs610 Firmware by Qualcomm

Qmp1000 Firmware by Qualcomm

Sg6150 Firmware by Qualcomm

Sg6150p Firmware by Qualcomm

Sm6475 Firmware by Qualcomm

Sm7435 Firmware by Qualcomm

Sm8735 Firmware by Qualcomm

Sm8750 Firmware by Qualcomm

Sm8750p Firmware by Qualcomm

Snapdragon 4 Gen 2 Mobile Platform Firmware by Qualcomm

Snapdragon 6 Gen 1 Mobile Platform Firmware by Qualcomm

Snapdragon W5\+ Gen 1 Wearable Platform Firmware by Qualcomm

Sw5100 Firmware by Qualcomm

Sw5100p Firmware by Qualcomm

Sxr2330p Firmware by Qualcomm

Sxr2350p Firmware by Qualcomm

Video Collaboration Vc1 Platform Firmware by Qualcomm

Video Collaboration Vc3 Platform Firmware by Qualcomm

Wcd9370 Firmware by Qualcomm

Wcd9375 Firmware by Qualcomm

Wcd9378 Firmware by Qualcomm

Wcd9380 Firmware by Qualcomm

Wcd9385 Firmware by Qualcomm

Wcd9395 Firmware by Qualcomm

Wcn3950 Firmware by Qualcomm

Wcn3980 Firmware by Qualcomm

Wcn3988 Firmware by Qualcomm

Wcn6755 Firmware by Qualcomm

Wcn7750 Firmware by Qualcomm

Wcn7860 Firmware by Qualcomm

Wcn7861 Firmware by Qualcomm

Wcn7880 Firmware by Qualcomm

Wcn7881 Firmware by Qualcomm

Wsa8810 Firmware by Qualcomm

Wsa8815 Firmware by Qualcomm

Wsa8830 Firmware by Qualcomm

Wsa8832 Firmware by Qualcomm

Wsa8835 Firmware by Qualcomm

Wsa8840 Firmware by Qualcomm

Wsa8845 Firmware by Qualcomm

Wsa8845h Firmware by Qualcomm