CVE-2025-47359
Published: 02 February 2026
Summary
CVE-2025-47359 is a high-severity Use After Free (CWE-416) vulnerability in Qualcomm Qca6391 Firmware. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 0.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Implements memory protection mechanisms that directly mitigate use-after-free vulnerabilities by enforcing bounds checking and preventing unauthorized memory access during concurrent thread operations.
Mandates timely flaw remediation through vendor patches outlined in Qualcomm's February 2026 bulletin, directly addressing the memory free API race condition.
Supports vulnerability scanning to identify CVE-2025-47359 in Qualcomm products, enabling proactive risk response.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local use-after-free memory corruption enables exploitation for privilege escalation to achieve arbitrary code execution.
NVD Description
Memory Corruption when multiple threads simultaneously access a memory free API.
Deeper analysisAI
CVE-2025-47359 is a memory corruption vulnerability stemming from multiple threads simultaneously accessing a memory free API, classified under CWE-416 (Use After Free). It affects components in Qualcomm products, as documented in the vendor's February 2026 security bulletin.
The vulnerability carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating a high-severity issue exploitable by a local attacker with low privileges and low complexity, without requiring user interaction. Successful exploitation could result in high impacts to confidentiality, integrity, and availability, potentially enabling arbitrary code execution, data tampering, or denial of service on the affected system.
Qualcomm's February 2026 security bulletin at https://docs.qualcomm.com/product/publicresources/securitybulletin/february-2026-bulletin.html outlines affected products, exploitation details, and recommended patches or mitigations for remediation.
Details
- CWE(s)