Cyber Resilience

CVE-2025-47359

High

Published: 02 February 2026

Published
02 February 2026
Modified
11 February 2026
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0001 0.7th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-47359 is a high-severity Use After Free (CWE-416) vulnerability in Qualcomm Qca6391 Firmware. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 0.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-47359 is a memory corruption vulnerability stemming from multiple threads simultaneously accessing a memory free API, classified under CWE-416 (Use After Free). It affects components in Qualcomm products, as documented in the vendor's February 2026 security bulletin.

The vulnerability carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating a high-severity issue exploitable by a local attacker with low privileges and low complexity, without requiring user interaction. Successful exploitation could result in high impacts to confidentiality, integrity, and availability, potentially enabling arbitrary code execution, data tampering, or denial of service on the affected system.

Qualcomm's February 2026 security bulletin at https://docs.qualcomm.com/product/publicresources/securitybulletin/february-2026-bulletin.html outlines affected products, exploitation details, and recommended patches or mitigations for remediation.

EU & UK References

Vulnerability details

Memory Corruption when multiple threads simultaneously access a memory free API.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Local use-after-free memory corruption enables exploitation for privilege escalation to achieve arbitrary code execution.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-47358Same product: Qualcomm Fastconnect 6900
CVE-2026-21380Same product: Qualcomm Fastconnect 6900
CVE-2024-45561Same product: Qualcomm Aqt1000
CVE-2024-33059Same product: Qualcomm Fastconnect 6900
CVE-2024-38411Same product: Qualcomm Fastconnect 6900
CVE-2024-45580Same product: Qualcomm Fastconnect 6900
CVE-2024-33055Same product: Qualcomm Fastconnect 6900
CVE-2024-43062Same product: Qualcomm Fastconnect 6900
CVE-2024-43059Same product: Qualcomm Fastconnect 6900
CVE-2024-53023Same product: Qualcomm Fastconnect 6900

Affected Assets

qualcomm
qca6391 firmware
all versions
qualcomm
qca6420 firmware
all versions
qualcomm
qca6430 firmware
all versions
qualcomm
qcc2072 firmware
all versions
qualcomm
sc8380xp firmware
all versions
qualcomm
sc8180x-ad firmware
all versions
qualcomm
sc8180xp-ad firmware
all versions
qualcomm
sc8180x-aaab firmware
all versions
qualcomm
sc8180xp-acaf firmware
all versions
qualcomm
sc8180x-acaf firmware
all versions
+27 more product configuration(s) — see NVD for full list

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Implements memory protection mechanisms that directly mitigate use-after-free vulnerabilities by enforcing bounds checking and preventing unauthorized memory access during concurrent thread operations.

prevent

Mandates timely flaw remediation through vendor patches outlined in Qualcomm's February 2026 bulletin, directly addressing the memory free API race condition.

detect

Supports vulnerability scanning to identify CVE-2025-47359 in Qualcomm products, enabling proactive risk response.

References