CVE-2025-21424
Published: 03 March 2025
Summary
CVE-2025-21424 is a high-severity Use After Free (CWE-416) vulnerability in Qualcomm 315 5G Iot Modem Firmware. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 43.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the specific use-after-free memory corruption in Qualcomm's NPU driver by requiring timely identification, reporting, and application of vendor patches from the March 2025 security bulletin.
Implements memory protection mechanisms such as address space layout randomization and data execution prevention to block exploitation of use-after-free vulnerabilities triggered by concurrent NPU driver API calls.
Isolates processes and memory to prevent concurrent API calls from interfering with each other and causing memory corruption in the NPU driver.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local memory corruption (use-after-free) in NPU driver allows low-privileged attacker to achieve arbitrary code execution and full device compromise, directly mapping to exploitation for privilege escalation.
NVD Description
Memory corruption while calling the NPU driver APIs concurrently.
Deeper analysisAI
CVE-2025-21424 is a memory corruption vulnerability classified under CWE-416 (use-after-free), triggered by concurrent calls to NPU driver APIs. It affects Qualcomm's NPU driver components, with a CVSS v3.1 base score of 7.8 (High). The issue was publicly disclosed on March 3, 2025, via Qualcomm's security bulletin.
A local attacker with low privileges (PR:L) can exploit this vulnerability through low-complexity attacks (AC:L) requiring no user interaction (UI:N). Exploitation enables high-impact consequences, including unauthorized access to sensitive data (C:H), modification of system integrity (I:H), and disruption of availability (A:H), potentially leading to full device compromise within the unchanged security scope (S:U).
Mitigation details, including affected products and patching guidance, are outlined in Qualcomm's March 2025 security bulletin available at https://docs.qualcomm.com/product/publicresources/securitybulletin/march-2025-bulletin.html.
Details
- CWE(s)