CVE-2026-24082
Published: 04 May 2026
Summary
CVE-2026-24082 is a high-severity Use After Free (CWE-416) vulnerability in Qualcomm Qxm1096 Firmware. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 2.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-16 (Memory Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires timely remediation of known flaws like this Use After Free vulnerability through application of vendor-provided patches from the Qualcomm security bulletin.
Implements memory safeguards such as address space randomization and non-executable data to mitigate exploitation of memory corruption from copying data from a freed source.
Ensures receipt and dissemination of security advisories like the Qualcomm May 2026 bulletin to identify and address this specific vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local UAF memory corruption in Qualcomm kernel/driver component directly enables local privilege escalation via exploitation of software vulnerability.
NVD Description
Memory Corruption when copying data from a freed source while executing performance counter deselect operation.
Deeper analysisAI
CVE-2026-24082 is a memory corruption vulnerability stemming from copying data from a freed source during the execution of a performance counter deselect operation, classified under CWE-416 (Use After Free). It affects components within Qualcomm products, as documented in the vendor's security bulletin.
The vulnerability carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating it can be exploited by a local attacker with low privileges. Exploitation requires low complexity and no user interaction, potentially allowing the attacker to achieve high impacts on confidentiality, integrity, and availability, such as arbitrary code execution or system compromise.
Mitigation details, including patches and affected product versions, are provided in the Qualcomm May 2026 security bulletin available at https://docs.qualcomm.com/product/publicresources/securitybulletin/may-2026-bulletin.html. Security practitioners should consult this advisory for deployment guidance.
Details
- CWE(s)