CVE-2025-47348
Published: 07 January 2026
Summary
CVE-2025-47348 is a high-severity Use of Uninitialized Variable (CWE-457) vulnerability in Qualcomm Aqt1000 Firmware. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 6.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates CVE-2025-47348 by requiring timely patching of the use-after-free memory corruption flaw in the trusted application's identity credential processing.
Implements memory protection mechanisms such as address space randomization and data execution prevention to block exploitation of the use-after-free vulnerability during credential operations.
Isolates the trusted application as a security function, limiting the blast radius of local low-privilege exploitation of the memory corruption vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local memory corruption (UAF) in trusted app enables arbitrary code execution/privilege escalation from low-priv context.
NVD Description
Memory corruption while processing identity credential operations in the trusted application.
Deeper analysisAI
CVE-2025-47348 is a memory corruption vulnerability, classified under CWE-457 (Use After Free), that occurs while processing identity credential operations in the trusted application. It affects Qualcomm products, as detailed in their security bulletin. The vulnerability carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and was published on 2026-01-07T12:17:04.457.
A local attacker with low privileges can exploit this vulnerability through low-complexity means without requiring user interaction. Successful exploitation enables high-impact consequences across confidentiality, integrity, and availability, potentially leading to arbitrary code execution or disruption within the trusted application context.
Qualcomm's January 2026 security bulletin provides further details on the vulnerability, available at https://docs.qualcomm.com/product/publicresources/securitybulletin/january-2026-bulletin.html, including information on affected products and recommended mitigations or patches.
Details
- CWE(s)