Introduction
Remote code execution on millions of Android devices is possible simply by sending a specially crafted RTP packet. This is not a theoretical risk: CVE-2025-21483 exposes a critical flaw in Qualcomm Snapdragon chipsets, which are used in flagship and mid-range smartphones, tablets, automotive, and IoT devices worldwide.
About Qualcomm: Qualcomm is a dominant force in the mobile semiconductor industry. Its Snapdragon chipsets power a significant share of Android devices, with hundreds of millions of units shipped annually. The company’s products are foundational to mobile communications, wireless connectivity, and increasingly, automotive and IoT applications. Vulnerabilities in Qualcomm firmware can have global impact, affecting consumer, enterprise, and infrastructure deployments.
Technical Information
CVE-2025-21483 is a memory corruption vulnerability rooted in improper restriction of operations within the bounds of a memory buffer (CWE-119) in Qualcomm’s Data Network Stack and Connectivity components. The flaw is triggered when a user equipment (UE) device receives an RTP (Real-time Transport Protocol) packet from the network. During the reassembly of Network Abstraction Layer Units (NALUs) — which are used in video streaming protocols such as H.264, H.265, and H.266 — the firmware fails to properly validate the size and structure of incoming NALU data.
Malformed or oversized RTP packets can cause a heap-based buffer overflow during the NALU reassembly process. This allows remote attackers to corrupt memory and potentially execute arbitrary code at the firmware level. The vulnerability is exploitable over any network interface that processes RTP traffic, including cellular, Wi-Fi, and potentially Bluetooth, depending on device configuration. No authentication or user interaction is required.
The flaw is present in the low-level firmware of affected Snapdragon chipsets, which operate with high privileges and direct access to system resources. This makes exploitation particularly severe, as successful attacks can bypass many OS-level security controls.
Patch Information
In the September 2025 Android Security Bulletin, a critical vulnerability in the System component was identified, potentially allowing remote (proximal/adjacent) code execution without user interaction. To address this, a comprehensive patch was developed and integrated into the Android Open Source Project (AOSP). This patch involves several key modifications:
-
Input Validation Enhancements: The patch introduces rigorous checks to validate incoming data, ensuring that only properly formatted and expected inputs are processed. This prevents malformed data from triggering unintended behaviors.
-
Memory Management Improvements: By refining memory allocation and deallocation processes, the patch mitigates risks associated with buffer overflows and memory corruption, which are common vectors for code execution vulnerabilities.
-
Access Control Reinforcement: The update strengthens permission checks, ensuring that only authorized processes can execute certain functions, thereby reducing the risk of unauthorized code execution.
These changes collectively fortify the System component against potential exploits, enhancing the overall security posture of Android devices.
For a detailed overview of the vulnerabilities addressed and the corresponding patches, refer to the official Android Security Bulletin for September 2025.
Affected Systems and Versions
CVE-2025-21483 affects the following Qualcomm platforms and associated devices:
- Snapdragon 8 Gen 1
- Snapdragon 8 Gen 2
- Snapdragon 8 Gen 3
- Snapdragon 865
- Snapdragon 870
- Snapdragon 888
- Snapdragon 8+ Gen 1
- Snapdragon 480
- Snapdragon 695
- Snapdragon 780G
- Snapdragon 782G
- FastConnect wireless connectivity solutions
- QCM industrial computing modules
- Automotive SoCs (System on Chips)
All device configurations using the above chipsets and running unpatched firmware or Android versions prior to the September 2025 security update are vulnerable. The attack surface includes smartphones, tablets, automotive infotainment systems, and IoT devices that process RTP traffic for multimedia applications.
Vendor Security History
Qualcomm has previously faced critical vulnerabilities in its modem and connectivity firmware, including issues in the same RTP and NALU processing logic. The company maintains a regular monthly security bulletin and coordinates with Android for timely patch releases. However, the closed-source nature of Qualcomm firmware and the need for OEM and carrier integration can delay patch availability for end users. Qualcomm’s security response is generally prompt in issuing advisories and patches, but real-world patch adoption can lag due to ecosystem complexity.