CVE-2026-21385

HighCISA KEVActive Exploitation

Published: 02 March 2026

Published

02 March 2026

Modified

04 March 2026

KEV Added

03 March 2026

Patch

—

CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0023 45.4th percentile

Risk Priority 36 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-21385 is a high-severity Integer Overflow or Wraparound (CWE-190) vulnerability in Qualcomm Sm7675P Firmware. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 45.4th percentile by exploit likelihood (below the median); CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly requires timely identification, reporting, and patching of known flaws like this memory corruption vulnerability in Qualcomm components.

SI-16 Memory Protection good match

prevent

Provides memory protection techniques such as ASLR and DEP to prevent exploitation of memory corruption from integer overflow in allocation alignments.

RA-5 Vulnerability Monitoring and Scanning partial match

detect

Enables detection of the presence of CVE-2026-21385 in the environment through vulnerability scanning, especially given its CISA KEV status.

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

Why these techniques?

Local low-privilege memory corruption vulnerability (integer overflow) enables exploitation for privilege escalation, matching T1068, with confirmed real-world exploitation per CISA KEV.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

Memory corruption while using alignments for memory allocation.

Deeper analysisAI

CVE-2026-21385 is a memory corruption vulnerability that occurs while using alignments for memory allocation, mapped to CWE-190 (Integer Overflow or Wraparound). It affects Qualcomm components, as documented in the Qualcomm March 2026 security bulletin, and is addressed in the Android security bulletin for March 1, 2026.

The vulnerability carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). A local attacker with low privileges can exploit it with low attack complexity and no user interaction required, achieving high impacts on confidentiality, integrity, and availability within the affected component.

Qualcomm and Android security bulletins provide patches to mitigate the issue. The vulnerability is listed in the CISA Known Exploited Vulnerabilities Catalog, indicating real-world exploitation.

Security practitioners should prioritize patching affected Qualcomm-based Android devices, given its presence in the CISA catalog.

Details

CWE(s): CWE-190
KEV Date Added: 03 March 2026

Affected Products

qualcomm

sm7675p firmware

all versions

qualcomm

sm8475p firmware

all versions

qualcomm

sm8550p firmware

all versions

qualcomm

sm8635 firmware

all versions

qualcomm

sm8635p firmware

all versions

qualcomm

sm8650q firmware

all versions

qualcomm

sm8750p firmware

all versions

qualcomm

smart audio 400 platform firmware

all versions

qualcomm

smart display 200 platform firmware

all versions

qualcomm

snapdragon 4 gen 1 mobile platform firmware

all versions

+227 more product configuration(s) — see NVD for full list

CVEs Like This One

CVE-2025-59600Same product: Qualcomm Ar8031

CVE-2025-47379Same product: Qualcomm 5G Fixed Wireless Access Platform

CVE-2025-47386Same product: Qualcomm Ar8031

CVE-2025-47376Same product: Qualcomm Ar8031

CVE-2025-47375Same product: Qualcomm Ar8031

CVE-2025-47363Same product: Qualcomm Qam8255P

CVE-2025-47373Same product: Qualcomm Ar8035

CVE-2025-47389Same product: Qualcomm Ar8035

CVE-2025-47392Same product: Qualcomm 5G Fixed Wireless Access Platform

CVE-2025-47348Same product: Qualcomm Ar8035

References

https://docs.qualcomm.com/product/publicresources/securitybulletin/march-2026-bulletin.html
Patch, Vendor Advisory · product-security@qualcomm.com
https://source.android.com/docs/security/bulletin/2026/2026-03-01
Vendor Advisory · 134c704f-9b21-4f2e-91b3-4a467353bcc0
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-21385
US Government Resource · 134c704f-9b21-4f2e-91b3-4a467353bcc0