CVE-2025-59603
Published: 02 March 2026
Summary
CVE-2025-59603 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Qualcomm Sd865 5G Firmware. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 4.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly validates invalid user addresses to prevent improper processing that triggers out-of-bounds writes.
Implements memory protection mechanisms like address space layout randomization and data execution prevention to mitigate memory corruption exploits.
Mandates timely flaw remediation through vendor patches specifically provided for this Qualcomm memory corruption vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local memory corruption (out-of-bounds write) with low-priv access directly enables exploitation for privilege escalation to achieve arbitrary code execution.
NVD Description
Memory Corruption when processing invalid user address with nonstandard buffer address.
Deeper analysisAI
CVE-2025-59603 is a memory corruption vulnerability stemming from improper handling of an invalid user address paired with a nonstandard buffer address, classified under CWE-787 (Out-of-bounds Write). It affects components in Qualcomm products, as documented in the vendor's March 2026 security bulletin. The vulnerability received a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact with relatively low barriers to exploitation.
A local attacker with low privileges (PR:L) can exploit this vulnerability with low complexity (AC:L) and no user interaction required. Exploitation involves triggering the memory corruption during address processing, potentially leading to high confidentiality, integrity, and availability impacts, such as arbitrary code execution, data tampering, or denial of service within the affected scope (S:U).
The Qualcomm March 2026 security bulletin provides details on mitigation, including available patches and affected versions; practitioners should consult https://docs.qualcomm.com/product/publicresources/securitybulletin/march-2026-bulletin.html for specific remediation steps and update guidance.
Details
- CWE(s)