Cyber Posture

CVE-2025-47399

High

Published: 02 February 2026

Published
02 February 2026
Modified
11 February 2026
KEV Added
Patch
CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0001 0.4th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-47399 is a high-severity Classic Buffer Overflow (CWE-120) vulnerability in Qualcomm Cologne Firmware. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 0.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly enforces validation of invalid input parameters to IOCTL calls for sensor property updates, preventing memory corruption.

SI-16 Memory Protection good match
prevent

Implements runtime memory protections such as address space layout randomization and data execution prevention to mitigate exploitation of memory corruption vulnerabilities.

SI-2 Flaw Remediation good match
prevent

Requires timely application of vendor patches for the specific Qualcomm sensor IOCTL flaw, eliminating the vulnerability.

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
attack.mitre.org →
Why these techniques?

Local memory corruption in IOCTL handler directly enables kernel-level exploitation for privilege escalation and arbitrary code execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Memory Corruption while processing IOCTL call to update sensor property settings with invalid input parameters.

Deeper analysisAI

CVE-2025-47399 is a memory corruption vulnerability, classified under CWE-120, that occurs while processing an IOCTL call to update sensor property settings with invalid input parameters. It affects Qualcomm software components, particularly those handling sensor-related operations.

The vulnerability carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). A local attacker with low privileges can exploit it through low-complexity means without requiring user interaction, potentially achieving high impacts on confidentiality, integrity, and availability, such as arbitrary code execution or system compromise.

Qualcomm's February 2026 security bulletin at https://docs.qualcomm.com/product/publicresources/securitybulletin/february-2026-bulletin.html provides details on affected products and mitigation measures, including available patches.

Details

CWE(s)
CWE-120

Affected Products

qualcomm
cologne firmware
all versions
qualcomm
fastconnect 7800 firmware
all versions
qualcomm
wcd9378c firmware
all versions
qualcomm
wsa8840 firmware
all versions
qualcomm
wsa8845 firmware
all versions
qualcomm
wsa8845h firmware
all versions
qualcomm
x2000077 firmware
all versions
qualcomm
x2000086 firmware
all versions
qualcomm
x2000090 firmware
all versions
qualcomm
x2000092 firmware
all versions
+4 more product configuration(s) — see NVD for full list

CVEs Like This One

CVE-2026-21382Same product: Qualcomm Cologne
CVE-2025-47380Same product: Qualcomm Fastconnect 7800
CVE-2025-47356Same product: Qualcomm Cologne
CVE-2026-21380Same product: Qualcomm Cologne
CVE-2025-47358Same product: Qualcomm Fastconnect 7800
CVE-2025-47389Same product: Qualcomm Cologne
CVE-2025-47394Same product: Qualcomm Fastconnect 7800
CVE-2025-47388Same product: Qualcomm Fastconnect 7800
CVE-2025-47343Same product: Qualcomm Cologne
CVE-2026-21372Same product: Qualcomm Cologne

References