CVE-2025-47405
Published: 04 May 2026
Summary
CVE-2025-47405 is a high-severity Untrusted Pointer Dereference (CWE-822) vulnerability in Qualcomm Fastconnect 6900 Firmware. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 2.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Flaw remediation directly mitigates this CVE by applying Qualcomm's vendor patches to fix the memory corruption in camera sensor IOCTL processing.
Information input validation checks malformed camera sensor IOCTL requests and invalid output buffers to prevent untrusted pointer dereferences.
Memory protection controls such as address space randomization and non-executable memory prevent exploitation of memory corruption from invalid output buffers.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local memory corruption via untrusted IOCTL pointer dereference enables arbitrary code execution from low privileges, directly mapping to exploitation for privilege escalation.
NVD Description
Memory corruption when processing camera sensor input/output control codes with invalid output buffers.
Deeper analysisAI
CVE-2025-47405 is a memory corruption vulnerability, classified as CWE-822 (Untrusted Pointer Dereference), that occurs when processing camera sensor input/output control codes with invalid output buffers. It affects components within Qualcomm products, as documented in the vendor's May 2026 security bulletin. The vulnerability carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity with significant potential impacts.
A local attacker with low privileges can exploit this vulnerability through low-complexity means without requiring user interaction. Exploitation involves supplying malformed camera sensor IOCTL requests with invalid output buffers, leading to memory corruption. Successful attacks could grant high-level impacts on confidentiality, integrity, and availability, such as arbitrary code execution in the context of the affected process or complete system denial of service.
Qualcomm's May 2026 security bulletin at https://docs.qualcomm.com/product/publicresources/securitybulletin/may-2026-bulletin.html provides details on affected products, patch availability, and recommended mitigations for this CVE. Security practitioners should consult the bulletin for version-specific remediation steps.
Details
- CWE(s)