Cyber Resilience

CVE-2025-47398

High

Published: 02 February 2026

Published
02 February 2026
Modified
11 February 2026
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0001 0.7th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-47398 is a high-severity Use After Free (CWE-416) vulnerability in Qualcomm Qcm6490 Firmware. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 0.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-51 (Hardware-based Protection) and SI-16 (Memory Protection).

Deeper analysis

CVE-2025-47398 is a memory corruption vulnerability that occurs while deallocating graphics processing unit (GPU) memory buffers due to improper handling of memory pointers. It is classified under CWE-416 (Use After Free) and affects Qualcomm products, as documented in their security bulletin. The vulnerability received a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) when published on 2026-02-02.

The vulnerability can be exploited by a local attacker with low privileges, requiring low complexity and no user interaction. Successful exploitation enables high-impact consequences, including unauthorized access to sensitive data (confidentiality), modification of system resources (integrity), and disruption of services (availability).

Qualcomm's February 2026 Security Bulletin provides details on mitigations and patches; practitioners should consult the advisory at https://docs.qualcomm.com/product/publicresources/securitybulletin/february-2026-bulletin.html for specific remediation steps.

EU & UK References

Vulnerability details

Memory Corruption while deallocating graphics processing unit memory buffers due to improper handling of memory pointers.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Local use-after-free memory corruption in GPU driver directly enables privilege escalation via crafted deallocation of buffers.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-24082Same product: Qualcomm Ar8031
CVE-2025-47397Same product: Qualcomm Ar8031
CVE-2024-45553Same product: Qualcomm Fastconnect 6200
CVE-2025-47377Same product: Qualcomm Fastconnect 6200
CVE-2025-47386Same product: Qualcomm Ar8031
CVE-2025-47376Same product: Qualcomm Ar8031
CVE-2025-47375Same product: Qualcomm Ar8031
CVE-2025-47379Same product: Qualcomm Ar8031
CVE-2024-53023Same product: Qualcomm Fastconnect 6900
CVE-2025-21424Same product: Qualcomm Ar8031

Affected Assets

qualcomm
qcm6490 firmware
all versions
qualcomm
qcn9011 firmware
all versions
qualcomm
qcn9012 firmware
all versions
qualcomm
qcs2290 firmware
all versions
qualcomm
qcs410 firmware
all versions
qualcomm
qcs4290 firmware
all versions
qualcomm
qcs4490 firmware
all versions
qualcomm
qcs8550 firmware
all versions
qualcomm
qmp1000 firmware
all versions
qualcomm
qrb5165n firmware
all versions
+143 more product configuration(s) — see NVD for full list

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the use-after-free memory corruption vulnerability by requiring timely application of Qualcomm-provided patches.

prevent

Implements runtime memory safeguards such as address space layout randomization and data execution prevention to block exploitation of improper GPU memory pointer handling.

prevent

Uses hardware-based protections like memory tagging and pointer authentication to detect and prevent memory corruption during GPU buffer deallocation.

References