Cyber Resilience

CVE-2021-1906

MediumCISA KEVActive ExploitationEUVD Exploited

Published: 07 May 2021

Published
07 May 2021
Modified
28 October 2025
KEV Added
03 November 2021
Patch
CVSS Score v3.1 6.2 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0014 33.7th percentile
Risk Priority 32 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2021-1906 is a medium-severity an unspecified weakness vulnerability in Qualcomm Sd675 Firmware. Its CVSS base score is 6.2 (Medium).

Operationally, ranked at the 33.7th percentile by exploit likelihood (below the median); CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-24 (Fail in Known State) and SI-11 (Error Handling).

Deeper analysis

CVE-2021-1906 is an improper handling of address deregistration on failure that can lead to subsequent GPU address allocation failures. The issue affects Qualcomm Snapdragon Auto, Compute, Connectivity, Consumer IOT, Industrial IOT, Mobile, Voice & Music, and Wearables platforms.

A local attacker with no privileges required can trigger the flaw to produce a denial-of-service condition that prevents new GPU address allocations, resulting in high availability impact with no effect on confidentiality or integrity.

Qualcomm's May 2021 security bulletin addresses the vulnerability, and the issue appears in CISA's catalog of known exploited vulnerabilities.

The CVSS 6.2 score reflects the local attack vector and the resulting availability consequences on affected Snapdragon devices.

EU & UK References

Vulnerability details

Improper handling of address deregistration on failure can lead to new GPU address allocation failure. in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables

CWE(s)
KEV Date Added
03 November 2021

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

qualcomm
apq8009 firmware
all versions
qualcomm
apq8009w firmware
all versions
qualcomm
apq8017 firmware
all versions
qualcomm
apq8053 firmware
all versions
qualcomm
apq8064au firmware
all versions
qualcomm
apq8096au firmware
all versions
qualcomm
aqt1000 firmware
all versions
qualcomm
ar8031 firmware
all versions
qualcomm
ar8035 firmware
all versions
qualcomm
ar8151 firmware
all versions
+390 more product configuration(s) — see NVD for full list

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires proper error handling for failures such as address deregistration, preventing the subsequent GPU allocation DoS described in CVE-2021-1906.

prevent

Ensures the GPU address-management component fails in a known state rather than leaving deregistration incomplete and blocking future allocations.

prevent

Limits the effects of resource-management failures on GPU address availability, directly mitigating the high-availability impact of this local flaw.

References