CVE-2026-21381
Published: 06 April 2026
Summary
CVE-2026-21381 is a high-severity Buffer Over-read (CWE-126) vulnerability in Qualcomm Ar8035 Firmware. Its CVSS base score is 7.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 9.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses the buffer over-read (CWE-126) by enforcing validation of service data frame lengths at NAN protocol input points to prevent processing of excessive length frames.
Provides comprehensive denial-of-service protection tailored to mitigate transient DoS triggered by malformed excessive-length NAN service data frames.
Memory protection mechanisms help mitigate the effects of buffer over-reads during NAN device matching frame processing, reducing crash likelihood.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Buffer over-read in NAN protocol directly enables application/system exploitation for endpoint DoS (T1499.004).
NVD Description
Transient DOS when receiving a service data frame with excessive length during device matching over a neighborhood awareness network protocol connection.
Deeper analysisAI
CVE-2026-21381 is a transient denial-of-service (DoS) vulnerability stemming from a buffer over-read (CWE-126) that occurs when receiving a service data frame with excessive length during device matching over a Neighborhood Awareness Network (NAN) protocol connection. It affects Qualcomm components, as detailed in their security bulletin.
Exploitation requires network access (AV:N), high attack complexity (AC:H), high privileges (PR:H), and user interaction (UI:R), with a scoped impact (S:C) leading to high confidentiality, integrity, and availability consequences (C:H/I:H/A:H), scoring 7.6 on CVSS 3.1. A privileged attacker could thus trigger the transient DoS, potentially disrupting device functionality during NAN-based peer discovery.
Qualcomm's April 2026 security bulletin at https://docs.qualcomm.com/product/publicresources/securitybulletin/april-2026-bulletin.html provides further details on affected products and recommended mitigations or patches.
Details
- CWE(s)