CVE-2025-47359
Published: 02 February 2026
Summary
CVE-2025-47359 is a high-severity Use After Free (CWE-416) vulnerability in Qualcomm Qca6391 Firmware. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 0.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-47359 is a memory corruption vulnerability stemming from multiple threads simultaneously accessing a memory free API, classified under CWE-416 (Use After Free). It affects components in Qualcomm products, as documented in the vendor's February 2026 security bulletin.
The vulnerability carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating a high-severity issue exploitable by a local attacker with low privileges and low complexity, without requiring user interaction. Successful exploitation could result in high impacts to confidentiality, integrity, and availability, potentially enabling arbitrary code execution, data tampering, or denial of service on the affected system.
Qualcomm's February 2026 security bulletin at https://docs.qualcomm.com/product/publicresources/securitybulletin/february-2026-bulletin.html outlines affected products, exploitation details, and recommended patches or mitigations for remediation.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-206605
Vulnerability details
Memory Corruption when multiple threads simultaneously access a memory free API.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local use-after-free memory corruption enables exploitation for privilege escalation to achieve arbitrary code execution.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Implements memory protection mechanisms that directly mitigate use-after-free vulnerabilities by enforcing bounds checking and preventing unauthorized memory access during concurrent thread operations.
Mandates timely flaw remediation through vendor patches outlined in Qualcomm's February 2026 bulletin, directly addressing the memory free API race condition.
Supports vulnerability scanning to identify CVE-2025-47359 in Qualcomm products, enabling proactive risk response.