CVE-2026-21373
Published: 06 April 2026
Summary
CVE-2026-21373 is a high-severity Buffer Over-read (CWE-126) vulnerability in Qualcomm Aqt1000 Firmware. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 3.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Deeper analysis
CVE-2026-21373 is a memory corruption vulnerability stemming from CWE-126, where an output buffer is accessed without validating its size during IOCTL processing. This issue was published on 2026-04-06 and carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). It affects components in Qualcomm products, as documented in their security advisories.
The vulnerability can be exploited by a local attacker who has low privileges on the target system. Exploitation requires low complexity and no user interaction, with an unchanged scope. Successful attacks can lead to high impacts on confidentiality, integrity, and availability, enabling potential outcomes such as arbitrary code execution, data leakage, or system disruption.
Mitigation details are provided in the Qualcomm April 2026 security bulletin at https://docs.qualcomm.com/product/publicresources/securitybulletin/april-2026-bulletin.html, which covers affected products, patches, and remediation steps.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-19325
Vulnerability details
Memory Corruption when accessing an output buffer without validating its size during IOCTL processing.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local memory corruption in kernel IOCTL handler directly enables privilege escalation via arbitrary code execution from low-privileged context.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of buffer sizes provided as input during IOCTL processing to prevent memory corruption from invalid access.
Mandates timely identification, reporting, and patching of the specific memory corruption flaw in CVE-2026-21373 as documented in the Qualcomm bulletin.
Implements memory protections that restrict unauthorized access and modification to buffers, mitigating the effects of unvalidated IOCTL buffer handling.