CVE-2025-47390
Published: 06 April 2026
Summary
CVE-2025-47390 is a high-severity Buffer Over-read (CWE-126) vulnerability in Qualcomm Qcm5430 Firmware. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 0.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-16 directly mitigates memory corruption vulnerabilities like this buffer over-read in the JPEG driver by enforcing memory protection mechanisms such as address space layout randomization and data execution prevention.
SI-10 prevents the buffer over-read by requiring validation of IOCTL requests preprocessed by the JPEG driver to ensure inputs do not exceed buffer boundaries.
SI-2 addresses this specific CVE by requiring timely remediation through application of the Qualcomm security bulletin patch for affected products.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local kernel driver memory corruption (buffer over-read via IOCTL) directly enables privilege escalation from low-privileged local context to arbitrary code execution or DoS.
NVD Description
Memory corruption while preprocessing IOCTL request in JPEG driver.
Deeper analysisAI
CVE-2025-47390 is a memory corruption vulnerability, classified under CWE-126 (Buffer Over-read), that occurs while preprocessing IOCTL requests in the JPEG driver. It affects Qualcomm products, as indicated by the vendor's security bulletin.
The vulnerability has a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating a high-severity issue exploitable by a local attacker with low privileges. Exploitation requires low complexity and no user interaction, potentially allowing the attacker to achieve high impacts on confidentiality, integrity, and availability, such as arbitrary code execution or system denial of service.
Qualcomm has published a security bulletin in April 2026 addressing this vulnerability, available at https://docs.qualcomm.com/product/publicresources/securitybulletin/april-2026-bulletin.html, which provides details on affected versions and recommended mitigations or patches.
Details
- CWE(s)