Cyber Resilience

CVE-2026-21382

High

Published: 06 April 2026

Published
06 April 2026
Modified
08 April 2026
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0001 3.0th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-21382 is a high-severity Classic Buffer Overflow (CWE-120) vulnerability in Qualcomm Cologne Firmware. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 3.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Deeper analysis

CVE-2026-21382 is a memory corruption vulnerability stemming from improperly sized input/output buffers when handling power management requests, mapped to CWE-120 (Buffer Copy without Checking Size of Input). It affects components in Qualcomm products, as documented in their April 2026 security bulletin.

The vulnerability carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating a local attack vector with low attack complexity and low required privileges. A local attacker possessing low privileges can exploit it without user interaction, potentially achieving high impacts on confidentiality, integrity, and availability, such as arbitrary code execution or system compromise.

Mitigation details are provided in the Qualcomm security bulletin at https://docs.qualcomm.com/product/publicresources/securitybulletin/april-2026-bulletin.html, published on 2026-04-06. Security practitioners should consult this advisory for patch availability and recommended actions.

EU & UK References

Vulnerability details

Memory Corruption when handling power management requests with improperly sized input/output buffers.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Local memory corruption (buffer overflow) in Qualcomm power management directly enables privilege escalation via exploitation, matching T1068 with high C/I/A impact and arbitrary code execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-47399Same product: Qualcomm Cologne
CVE-2025-47356Same product: Qualcomm Cologne
CVE-2024-45547Same product: Qualcomm Fastconnect 6900
CVE-2026-21380Same product: Qualcomm Cologne
CVE-2025-47343Same product: Qualcomm Cologne
CVE-2025-47358Same product: Qualcomm Fastconnect 6900
CVE-2025-59603Same product: Qualcomm Cologne
CVE-2025-47390Same product: Qualcomm Cologne
CVE-2026-25258Same product: Qualcomm Cologne
CVE-2025-47380Same product: Qualcomm Fastconnect 7800

Affected Assets

qualcomm
cologne firmware
all versions
qualcomm
fastconnect 6900 firmware
all versions
qualcomm
fastconnect 7800 firmware
all versions
qualcomm
qca0000 firmware
all versions
qualcomm
sc8380xp firmware
all versions
qualcomm
wcd9378c firmware
all versions
qualcomm
wcd9380 firmware
all versions
qualcomm
wcd9385 firmware
all versions
qualcomm
wsa8840 firmware
all versions
qualcomm
wsa8845 firmware
all versions
+9 more product configuration(s) — see NVD for full list

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates CVE-2026-21382 by requiring timely patching of the specific buffer sizing flaw in Qualcomm power management components as detailed in the security bulletin.

prevent

Prevents memory corruption from improperly sized buffers in power management requests by enforcing validation of input sizes per CWE-120.

prevent

Implements memory protections such as stack guards and ASLR to thwart exploitation of the buffer overflow vulnerability even if input validation fails.

References