CVE-2025-47366
Published: 02 February 2026
Summary
CVE-2025-47366 is a high-severity Exposed Dangerous Method or Function (CWE-749) vulnerability in Qualcomm Ar8035 Firmware. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 0.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-47366 is a cryptographic vulnerability affecting Qualcomm components, specifically arising in a Trusted Zone with outdated code that is triggered by a High-Level Operating System (HLOS) providing incorrect input. Assigned a CVSS v3.1 base score of 7.1 (High), it maps to CWE-749 (Exposed Dangerous Method or Function) and includes NVD-CWE-noinfo. The issue was published on 2026-02-02.
A local attacker with low privileges can exploit this vulnerability with low complexity and no user interaction required. Successful exploitation enables high-impact confidentiality and integrity violations, such as unauthorized access to or modification of sensitive data, while availability remains unaffected and scope is unchanged.
Qualcomm's February 2026 security bulletin at https://docs.qualcomm.com/product/publicresources/securitybulletin/february-2026-bulletin.html provides further details on affected products and recommended mitigations or patches.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-206608
Vulnerability details
Cryptographic issue when a Trusted Zone with outdated code is triggered by a HLOS providing incorrect input.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local low-priv exploit of exposed dangerous function in Qualcomm TrustZone/TEE directly enables privilege escalation (T1068) and credential/sensitive data access (T1212) with high confidentiality/integrity impact.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely remediation of flaws such as the outdated Trusted Zone code that enables CVE-2025-47366.
Mandates validation of inputs from the HLOS before they reach cryptographic functions in the Trusted Zone, blocking the trigger described in the CVE.
Enforces isolation of security functions within the Trusted Zone so that exposed dangerous methods cannot be reached by untrusted HLOS input.