CVE-2025-47392
Published: 06 April 2026
Summary
CVE-2025-47392 is a high-severity Integer Overflow or Wraparound (CWE-190) vulnerability in Qualcomm 5G Fixed Wireless Access Platform Firmware. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 1.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the memory corruption vulnerability by identifying, testing, and installing patches from Qualcomm's security bulletin.
Validates inputs in satellite data files, including signature offsets, to prevent integer overflows and wraparound during decoding.
Provides memory protections like address space randomization and stack guards to mitigate exploitation of memory corruption from invalid offsets.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Memory corruption (integer overflow) in client-side satellite data decoding directly enables client-side exploitation for code execution (T1203).
NVD Description
Memory corruption when decoding corrupted satellite data files with invalid signature offsets.
Deeper analysisAI
CVE-2025-47392 is a memory corruption vulnerability, classified under CWE-190 (Integer Overflow or Wraparound), that occurs when decoding corrupted satellite data files containing invalid signature offsets. It affects components in Qualcomm products, as detailed in the vendor's security bulletin. The vulnerability received a CVSS v3.1 base score of 8.8 (AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact on confidentiality, integrity, and availability.
An adjacent attacker with low complexity and no privileges or user interaction required can exploit this vulnerability over the adjacent network (AV:A). Successful exploitation enables high-impact outcomes, including unauthorized access to sensitive data (C:H), modification of system integrity (I:H), and disruption of availability (A:H), potentially leading to remote code execution or system compromise through the memory corruption triggered by malformed satellite data processing.
Qualcomm's April 2026 security bulletin at https://docs.qualcomm.com/product/publicresources/securitybulletin/april-2026-bulletin.html provides details on affected products and recommended mitigations or patches. Security practitioners should consult this advisory for specific remediation steps.
Details
- CWE(s)