Qualcomm December 2025 Security Bulletin, patches multiple flaws, at least one critical

Qualcomm Technologies has released its December 2025 security bulletin patching multiple high-impact vulnerabilities affecting chipsets used in mobile devices, automotive systems, and Internet of Things products worldwide. 

The bulletin includes patches for seven proprietary software vulnerabilities and four open-source software issues, with two vulnerabilities receiving "Critical" security rating. 

Vulnerabilities summary:

• CVE-2025-47372 (CVSS score 9.0, Qualcomm severity Critical) - Buffer Copy Without Checking Size of Input in Boot - Memory corruption when a corrupted ELF image with an oversized file size is read into a buffer without authentication
• CVE-2025-47319 (CVSS score 6.7, Qualcomm severity Critical) - Exposure of Sensitive System Information to an Unauthorized Control Sphere in HLOS - Information disclosure while exposing internal TA-to-TA communication APIs to HLOS
• CVE-2025-47323 (CVSS score 7.8, Qualcomm severity High) - Integer Overflow or Wraparound in Audio - Memory corruption while routing GPR packets between user and root when handling large data packets
• CVE-2025-47350 (CVSS score 7.8, Qualcomm severity High) - Use After Free in DSP Service - Memory corruption while handling concurrent memory mapping and unmapping requests from user-space applications
• CVE-2025-47387 (CVSS score 7.8, Qualcomm severity High) - Untrusted Pointer Dereference in Camera - Memory corruption when processing IOCTLs for JPEG data without verification
• CVE-2025-47325 (CVSS score 6.5, Qualcomm severity High) - Untrusted Pointer Dereference in TZ Firmware - Information disclosure while processing system calls with invalid parameters
• CVE-2025-47321 (CVSS score 7.8, Qualcomm severity Medium) - Buffer Copy Without Checking Size of Input in Core Services - Memory corruption while copying packets received from unix clients

Open Source Software Vulnerabilities:

• CVE-2025-47382 (CVSS score 7.8) - Incorrect Authorization in Boot - Memory corruption while loading an invalid firmware in boot loader
• CVE-2025-27063 (CVSS score 7.8) - Use After Free in Video - Memory corruption during video playback when video session open fails with time out error
• CVE-2025-47320 (CVSS score 7.8) - Out-of-bounds Write in Audio - Memory corruption while processing MFC channel configuration during music playback
• CVE-2025-47322 (CVSS score 7.8) - Use After Free in Automotive Android OS - Memory corruption while handling IOCTL calls to set mode

The affected chipsets include current-generation platforms such as Snapdragon 8 Gen 3, Snapdragon 7 Gen 1, Snapdragon 6 Gen 1, and Snapdragon 4 Gen 2 mobile platforms, as well as automotive solutions including SA8775P, SA8650P, and QAM8775P series. Legacy platforms dating back several years, including Snapdragon 660, 680, 695, and 778G series, are also affected by various vulnerabilities detailed in the bulletin. 

Qualcomm emphasizes that the complete list of affected chipsets may not be exhaustive and recommends device manufacturers contact the company directly through their support channels for the latest information.

End users are strongly advised to contact their device manufacturers to inquire about patch availability and update schedules, as security patch deployment timelines vary by manufacturer and device model.