Cyber Resilience

CVE-2021-1905

HighCISA KEVActive ExploitationEUVD Exploited

Published: 07 May 2021

Published
07 May 2021
Modified
28 October 2025
KEV Added
03 November 2021
Patch
CVSS Score v3.1 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0076 73.8th percentile
Risk Priority 37 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2021-1905 is a high-severity Use After Free (CWE-416) vulnerability in Qualcomm Sd675 Firmware. Its CVSS base score is 8.4 (High).

Operationally, ranked in the top 26.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-39 (Process Isolation) and SI-16 (Memory Protection).

Deeper analysis

CVE-2021-1905 is a use-after-free vulnerability (CWE-416) caused by improper handling of memory mapping when multiple processes access the same region simultaneously. It affects a wide range of Qualcomm Snapdragon platforms, including Auto, Compute, Connectivity, Consumer IOT, Industrial IOT, Mobile, Voice & Music, and Wearables.

The flaw can be exploited by an unprivileged local attacker without user interaction. Successful exploitation grants the attacker full control over affected memory, enabling arbitrary code execution or other impacts that compromise confidentiality, integrity, and availability on the device.

Qualcomm's May 2021 security bulletin addresses the issue and provides mitigation guidance through updated firmware or software releases for the impacted Snapdragon components. The vulnerability is also catalogued by CISA as actively exploited in the wild.

EU & UK References

Vulnerability details

Possible use after free due to improper handling of memory mapping of multiple processes simultaneously. in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables

CWE(s)
KEV Date Added
03 November 2021

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

qualcomm
apq8009 firmware
all versions
qualcomm
apq8009w firmware
all versions
qualcomm
apq8017 firmware
all versions
qualcomm
apq8053 firmware
all versions
qualcomm
apq8064au firmware
all versions
qualcomm
apq8096au firmware
all versions
qualcomm
aqt1000 firmware
all versions
qualcomm
ar8031 firmware
all versions
qualcomm
ar8035 firmware
all versions
qualcomm
ar8151 firmware
all versions
+386 more product configuration(s) — see NVD for full list

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly implements memory protection safeguards that block use-after-free exploitation of concurrently mapped regions.

prevent

Enforces separate execution domains for each process, preventing improper shared-memory mappings that trigger the flaw.

prevent

Protects against unintended information transfer through shared system resources such as concurrently mapped memory pages.

References