What vulnerabilities did Qualcomm patch in September 2025?

Qualcomm Technologies patched multiple security vulnerabilities in its September 2025 Security Bulletin, including two critical remote code execution flaws. The bulletin addresses 29 vulnerabilities in proprietary software and 4 moderate-severity issues in open-source components, affecting Snapdragon processors, FastConnect modules, and automotive platforms.

What are the most critical Qualcomm vulnerabilities patched in September 2025?

The most critical vulnerabilities are CVE-2025-21483 and CVE-2025-27034, both with CVSS scores of 9.8. CVE-2025-21483 involves improper memory buffer restrictions that enable memory corruption when devices receive malicious RTP packets. CVE-2025-27034 is an array index validation flaw that allows memory corruption during PLMN selection processes.

How does CVE-2025-21483 work and what makes it dangerous?

CVE-2025-21483 is an improper restriction of operations within memory buffer bounds in the Data Network Stack & Connectivity component. This vulnerability enables memory corruption when User Equipment (UE) receives malicious RTP packets from the network during Network Abstraction Layer Unit (NALU) reassembly processes, potentially allowing remote code execution.

Are automotive systems affected by the Qualcomm vulnerabilities?

Yes, several vulnerabilities specifically affect automotive software platforms based on QNX, including CVE-2025-27077 (Use After Free), CVE-2025-47314 (Improper Input Validation), and CVE-2025-47315 (Use After Free), all with CVSS scores of 7.8. Automotive platforms SA8155P and SA8295P are also affected by the critical vulnerabilities.

What open-source component vulnerabilities did Qualcomm address?

Qualcomm addressed four moderate-severity vulnerabilities in open-source software components: CVE-2025-21476 (Computer Vision, CVSS 7.8), CVE-2025-27030 (Audio component, CVSS 6.1), CVE-2025-27033 (Video component, CVSS 6.1), and CVE-2025-27037 (Camera Driver, CVSS 7.8). Patch links are provided for developers to implement fixes directly from Code Linaro repositories.

How can device manufacturers and users get patches for these Qualcomm vulnerabilities?

Qualcomm has shared patches with Original Equipment Manufacturers (OEMs) and strongly recommends immediate deployment on released devices. For open-source vulnerabilities, patch links are available through Code Linaro repositories. End users should immediately install any security updates provided by their device manufacturers and monitor for firmware updates addressing these Qualcomm vulnerabilities.

What should consumers do about the Qualcomm security vulnerabilities?

Consumers should immediately install any security updates provided by their device manufacturers, regularly check for and apply firmware updates, enable automatic updates where possible, and monitor official communications from their device manufacturers about security patches. Given the critical nature of some vulnerabilities (CVSS 9.8), prompt updating is essential for device security.

Advisory

Qualcomm releases September 2025 Patch, fixes over 20 flaws, two critical

Q: Which Qualcomm chipsets are affected by these critical vulnerabilities?

The critical vulnerability CVE-2025-21483 impacts over 150 different chipset models, including popular consumer processors like Snapdragon 855, Snapdragon 865 5G, Snapdragon 888, Snapdragon 8 Gen1, FastConnect 6200/6700/6800/6900/7800 series, automotive platforms SA8155P and SA8295P, and numerous IoT and modem solutions. CVE-2025-27034 affects major 5G modem systems including Snapdragon X55/X62/X65/X70/X72/X75 series.

published: Sept. 2, 2025

Take action: Qualcomm has patched their vulnerabilities, but you can't apply the patches directly. You need to wait for your vendor that integrated the Qualcomm chips to release an update. Best you can do is be diligent and monitor for an update from your vendor. For Automotive and IoT implementations, reach out to your vendor for timeline of a patch.

Learn More

Qualcomm Technologies has patched multiple security vulnerabilities in its September 2025 Security Bulletin, including two remote code execution flaws. The bulletin patches 29 vulnerabilities in proprietary software and 4 moderate-severity issues in open-source components, affecting Snapdragon processors, FastConnect modules, and automotive platforms.

Vulnerabilitiess summary:

CVE-2025-21483 (CVSS score 9.8) - Improper Restriction of Operations within the Bounds of a Memory Buffer in Data Network Stack & Connectivity. This vulnerability enables memory corruption when User Equipment (UE) receives malicious RTP packets from the network during Network Abstraction Layer Unit (NALU) reassembly processes.
CVE-2025-27034 (CVSS score 9.8) - Improper Validation of Array Index in Multi-Mode Call Processor. This flaw allows memory corruption during Public Land Mobile Network (PLMN) selection from Service Orchestration failed lists.
CVE-2025-21484 (CVSS score 8.2) - Buffer Over-read in Data Network Stack & Connectivity
CVE-2025-21487 (CVSS score 8.2) - Buffer Over-read in Data Network Stack & Connectivity
CVE-2025-21488 (CVSS score 8.2) - Buffer Over-read in Data Network Stack & Connectivity
CVE-2025-21481 (CVSS score 7.8) - Buffer Copy Without Checking Size of Input in HLOS
CVE-2025-27032 (CVSS score 7.8) - Improper Access Control Applied to Mirrored or Aliased Memory Regions in Hypervisor
CVE-2025-27077 (CVSS score 7.8) - Use After Free in Automotive Software platform based on QNX
CVE-2025-47314 (CVSS score 7.8) - Improper Input Validation in Automotive Software platform based on QNX
CVE-2025-47315 (CVSS score 7.8) - Use After Free in Automotive Software platform based on QNX
CVE-2025-47316 (CVSS score 7.8) - Double Free in Video component
CVE-2025-47317 (CVSS score 7.8) - Buffer Over-read in BT Controller
CVE-2025-47327 (CVSS score 7.8) - Use After Free in Camera component
CVE-2025-47329 (CVSS score 7.8) - Release of Invalid Pointer or Reference in Android Core
CVE-2025-47318 (CVSS score 7.5) - Buffer Over-read in BT Controller
CVE-2025-47326 (CVSS score 7.5) - Buffer Over-read in WLAN HAL
CVE-2025-47328 (CVSS score 7.5) - Buffer Over-read in WLAN HAL
CVE-2025-21482 (CVSS score 7.1) - Cryptographic Issues in Core component

The vulnerabilities affect most of Qualcomm chipsets in multiple product categories. Critical vulnerability CVE-2025-21483 impacts over 150 different chipset models, including popular consumer processors like Snapdragon 855, Snapdragon 865 5G, Snapdragon 888, Snapdragon 8 Gen1, FastConnect 6200/6700/6800/6900/7800 series, automotive platforms SA8155P, SA8295P, and numerous IoT and modem solutions.

Similarly, CVE-2025-27034 affects major 5G modem systems including Snapdragon X55/X62/X65/X70/X72/X75 5G Modem-RF Systems, multiple Snapdragon 8 Gen series processors, automotive platforms, and dozens of WiFi and Bluetooth controllers. The widespread impact demonstrates the critical nature of these flaws across Qualcomm's entire product ecosystem.

The bulletin also addresses four moderate-severity vulnerabilities in open-source software components:

CVE-2025-21476 (CVSS score 7.8) - Buffer Copy Without Checking Size of Input in Computer Vision
CVE-2025-27030 (CVSS score 6.1) - Buffer Over-read in Audio component
CVE-2025-27033 (CVSS score 6.1) - Buffer Over-read in Video component
CVE-2025-27037 (CVSS score 7.8) - Use After Free in Camera Driver

Qualcomm has provided patch links for these open-source vulnerabilities, enabling developers and device manufacturers to implement fixes directly from the Code Linaro repositories.

Qualcomm has shared patches with Original Equipment Manufacturers (OEMs) and strongly recommends immediate deployment on released devices. End users should immediately install any security updates provided by their device manufacturers and monitor for firmware updates addressing these Qualcomm vulnerabilities.

Qualcomm releases September 2025 Patch, fixes over 20 flaws, two critical