CVE-2026-21373
Published: 06 April 2026
Summary
CVE-2026-21373 is a high-severity Buffer Over-read (CWE-126) vulnerability in Qualcomm Aqt1000 Firmware. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 3.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires validation of buffer sizes provided as input during IOCTL processing to prevent memory corruption from invalid access.
Mandates timely identification, reporting, and patching of the specific memory corruption flaw in CVE-2026-21373 as documented in the Qualcomm bulletin.
Implements memory protections that restrict unauthorized access and modification to buffers, mitigating the effects of unvalidated IOCTL buffer handling.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local memory corruption in kernel IOCTL handler directly enables privilege escalation via arbitrary code execution from low-privileged context.
NVD Description
Memory Corruption when accessing an output buffer without validating its size during IOCTL processing.
Deeper analysisAI
CVE-2026-21373 is a memory corruption vulnerability stemming from CWE-126, where an output buffer is accessed without validating its size during IOCTL processing. This issue was published on 2026-04-06 and carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). It affects components in Qualcomm products, as documented in their security advisories.
The vulnerability can be exploited by a local attacker who has low privileges on the target system. Exploitation requires low complexity and no user interaction, with an unchanged scope. Successful attacks can lead to high impacts on confidentiality, integrity, and availability, enabling potential outcomes such as arbitrary code execution, data leakage, or system disruption.
Mitigation details are provided in the Qualcomm April 2026 security bulletin at https://docs.qualcomm.com/product/publicresources/securitybulletin/april-2026-bulletin.html, which covers affected products, patches, and remediation steps.
Details
- CWE(s)