Cyber Resilience

CVE-2020-11261

HighCISA KEVActive ExploitationEUVD Exploited

Published: 09 June 2021

Published
09 June 2021
Modified
28 October 2025
KEV Added
01 December 2021
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0085 75.3th percentile
Risk Priority 36 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2020-11261 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Qualcomm Apq8009 Firmware. Its CVSS base score is 7.8 (High).

Operationally, ranked in the top 24.7% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Deeper analysis

CVE-2020-11261 is a memory corruption vulnerability caused by an improper input validation check that fails to return an error when a user application requests allocation of an excessively large memory size. The flaw affects multiple Qualcomm Snapdragon platforms, including Auto, Compute, Connectivity, Consumer IOT, Industrial IOT, Mobile, Voice & Music, and Wearables. It is tracked under CWEs 787 and 20 and carries a CVSS 3.1 base score of 7.8.

A local attacker with low privileges can exploit the issue without user interaction by supplying a malicious memory allocation request from an application running on an affected device. Successful exploitation can result in arbitrary memory corruption, enabling the attacker to achieve high impacts on confidentiality, integrity, and availability, such as arbitrary code execution or system compromise.

Qualcomm addressed the vulnerability in its January 2021 security bulletin, and the flaw appears in CISA's catalog of known exploited vulnerabilities, confirming observed real-world exploitation activity.

EU & UK References

Vulnerability details

Memory corruption due to improper check to return error when user application requests memory allocation of a huge size in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables

CWE(s)
KEV Date Added
01 December 2021

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

qualcomm
apq8009 firmware
all versions
qualcomm
apq8009w firmware
all versions
qualcomm
apq8017 firmware
all versions
qualcomm
apq8037 firmware
all versions
qualcomm
apq8053 firmware
all versions
qualcomm
apq8064au firmware
all versions
qualcomm
apq8096au firmware
all versions
qualcomm
aqt1000 firmware
all versions
qualcomm
ar8031 firmware
all versions
qualcomm
ar8035 firmware
all versions
+389 more product configuration(s) — see NVD for full list

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of memory allocation size inputs to reject excessively large requests before corruption occurs.

prevent

Enforces memory protection mechanisms that would block or contain the corruption resulting from the unchecked huge allocation.

prevent

Requires proper error handling so that an invalid huge-size allocation request returns an error instead of proceeding to memory corruption.

References