Cyber Resilience

CVE-2025-47392

High

Published: 06 April 2026

Published
06 April 2026
Modified
08 April 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0016 6.0th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2025-47392 is a high-severity Integer Overflow or Wraparound (CWE-190) vulnerability in Qualcomm 5G Fixed Wireless Access Platform Firmware. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 6.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Deeper analysis

CVE-2025-47392 is a memory corruption vulnerability, classified under CWE-190 (Integer Overflow or Wraparound), that occurs when decoding corrupted satellite data files containing invalid signature offsets. It affects components in Qualcomm products, as detailed in the vendor's security bulletin. The vulnerability received a CVSS v3.1 base score of 8.8 (AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact on confidentiality, integrity, and availability.

An adjacent attacker with low complexity and no privileges or user interaction required can exploit this vulnerability over the adjacent network (AV:A). Successful exploitation enables high-impact outcomes, including unauthorized access to sensitive data (C:H), modification of system integrity (I:H), and disruption of availability (A:H), potentially leading to remote code execution or system compromise through the memory corruption triggered by malformed satellite data processing.

Qualcomm's April 2026 security bulletin at https://docs.qualcomm.com/product/publicresources/securitybulletin/april-2026-bulletin.html provides details on affected products and recommended mitigations or patches. Security practitioners should consult this advisory for specific remediation steps.

EU & UK References

Vulnerability details

Memory corruption when decoding corrupted satellite data files with invalid signature offsets.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
Why these techniques?

Memory corruption (integer overflow) in client-side satellite data decoding directly enables client-side exploitation for code execution (T1203).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-21385Same product: Qualcomm 5G Fixed Wireless Access Platform
CVE-2025-47383Same product: Qualcomm 5G Fixed Wireless Access Platform
CVE-2025-47376Same product: Qualcomm Ar8035
CVE-2025-47386Same product: Qualcomm Ar8035
CVE-2025-47375Same product: Qualcomm Ar8035
CVE-2025-47379Same product: Qualcomm 5G Fixed Wireless Access Platform
CVE-2025-47364Same product: Qualcomm Qca6574Au
CVE-2025-47363Same product: Qualcomm Qca6574Au
CVE-2026-25277Same product: Qualcomm Fastconnect 6700
CVE-2026-24091Same product: Qualcomm 5G Fixed Wireless Access Platform

Affected Assets

qualcomm
5g fixed wireless access platform firmware
all versions
qualcomm
ar8035 firmware
all versions
qualcomm
csra6620 firmware
all versions
qualcomm
csra6640 firmware
all versions
qualcomm
fastconnect 6200 firmware
all versions
qualcomm
snapdragon 690 5g mobile platform firmware
all versions
qualcomm
snapdragon 695 5g mobile platform firmware
all versions
qualcomm
snapdragon 7 gen 1 mobile platform firmware
all versions
qualcomm
snapdragon 7\+ gen 2 mobile platform firmware
all versions
qualcomm
snapdragon 778g 5g mobile platform firmware
all versions
+144 more product configuration(s) — see NVD for full list

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the memory corruption vulnerability by identifying, testing, and installing patches from Qualcomm's security bulletin.

prevent

Validates inputs in satellite data files, including signature offsets, to prevent integer overflows and wraparound during decoding.

prevent

Provides memory protections like address space randomization and stack guards to mitigate exploitation of memory corruption from invalid offsets.

References