Introduction
An out-of-bounds write in Qualcomm's HLOS component allows a local attacker with low privileges to corrupt memory by supplying an oversized device identifier string, potentially escalating to full system compromise across more than 130 affected chipsets. With a CVSS 7.8 score and Qualcomm's documented history of similar vulnerabilities being weaponized in targeted spyware campaigns, CVE-2025-59605 warrants immediate attention from any organization managing a fleet of Android devices powered by Snapdragon, FastConnect, or related Qualcomm platforms.
Technical Information
Root Cause
CVE-2025-59605 is classified under CWE-787 (Out-of-Bounds Write), which MITRE ranks as the number one most dangerous software weakness. The vulnerability resides in Qualcomm's High Level Operating System (HLOS) component, specifically in the code path responsible for processing device identifier strings.
Under normal operation, device identifier strings are parsed into a fixed-size buffer. The vulnerable code does not perform adequate bounds checking on the length of incoming identifier strings. When a string exceeding the expected maximum length is supplied, the write operation continues past the end of the allocated buffer, corrupting adjacent memory regions.
This is a classic buffer overflow pattern in C/C++ code. CWE-787 defines this weakness as occurring when "the product writes data past the end, or before the beginning, of the intended buffer." In the context of an operating system component like HLOS, the corrupted memory can include control data such as return addresses or function pointers, enabling an attacker to redirect execution flow.
CVSS v3.1 Vector Analysis
The full CVSS v3.1 vector string is CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, which breaks down as follows:
| Vector Component | Value | Interpretation |
|---|---|---|
| Attack Vector (AV) | Local | Attacker needs local access to the device |
| Attack Complexity (AC) | Low | Minimal conditions required beyond local access |
| Privileges Required (PR) | Low | Only a low privilege account is needed |
| User Interaction (UI) | None | No user action needed beyond the attacker's |
| Scope (S) | Unchanged | Impact confined to the vulnerable component |
| Confidentiality (C) | High | Total information disclosure possible |
| Integrity (I) | High | Total system integrity compromise possible |
| Availability (A) | High | Total system availability loss possible |
The combination of AC:L/PR:L/UI:N is notable: once an attacker has any local code execution on the device, the barrier to triggering this vulnerability is very low. No special timing, race conditions, or user interaction is required.
Attack Flow
Based on the vulnerability classification and CWE-787 characteristics, exploitation follows this sequence:
-
Establish Local Access: The attacker first achieves code execution on the target device at a low privilege level. This could occur through a malicious application installed by the user, a supply chain compromise, or as part of a multi-stage exploitation chain where a remote code execution vulnerability provides the initial foothold.
-
Craft Oversized Device Identifier: The attacker constructs a device identifier string that exceeds the expected maximum length accepted by the HLOS processing routine.
-
Trigger the Buffer Overflow: The crafted string is presented to the HLOS for processing. The HLOS copies the oversized string into a buffer allocated for the expected maximum length without performing proper bounds checking. The write operation overflows past the buffer boundary.
-
Corrupt Control Flow Data: The overflow corrupts adjacent memory. Depending on the memory layout, this can overwrite function pointers, return addresses, or other control flow data structures.
-
Achieve Privilege Escalation: Since HLOS operates at a higher privilege level than the attacking process, successful control flow hijack enables privilege escalation from a low privilege local account to full system compromise with high impact on confidentiality, integrity, and availability.
Companion Vulnerabilities in the Same Bulletin
The Qualcomm June 2026 Security Bulletin addresses several other vulnerabilities alongside CVE-2025-59605, including multiple additional CWE-787 flaws across different components:
| CVE ID | Component | Severity | CWE |
|---|---|---|---|
| CVE-2026-25276 | Secure Processor | Critical | Proprietary |
| CVE-2026-25277 | Secure Processor | Critical | Proprietary |
| CVE-2025-59604 | SPS Applications | High | Proprietary |
| CVE-2026-25258 | DSP Services | High | Proprietary |
| CVE-2026-25259 | DSP Services | High | CWE-787 |
| CVE-2025-59611 | Multiple | High | CWE-787 |
The recurrence of CWE-787 across HLOS, DSP Services, and other components in a single bulletin points to a systemic pattern of insufficient bounds checking in Qualcomm's proprietary C/C++ codebase rather than an isolated defect.
Patch Information
CVE-2025-59605 is addressed through the coordinated Qualcomm and Android security update pipeline. Because the vulnerability resides in a Qualcomm closed-source component, no public source code diff is available for review.
Qualcomm discovered the vulnerability internally and notified OEM customers on 2025-12-01, providing approximately six months of lead time before the public disclosure on June 1, 2026. During this window, Qualcomm shared the binary patch directly with its partners for integration into their respective firmware builds.
On the Android side, the Android Security Bulletin for June 2026 formally includes CVE-2025-59605 under the "Qualcomm closed-source components" section, tracked via Android bug ID A-465462444 (marked with an asterisk, indicating the fix is not publicly accessible through AOSP). The fix is covered by the 2026-06-05 security patch level.
How to verify you are protected: Check that your device's security patch level is set to 2026-06-05 or later. On Android devices, navigate to Settings, then About Phone, then Android Security Patch Level.
The patch delivery chain flows from Qualcomm to OEMs to end user devices through the standard Android monthly security update process. For Pixel devices, updated binary drivers are published on the Google Developer site. For other manufacturers (Samsung, Xiaomi, OnePlus, and others), the fix arrives via their respective monthly security update channels.
The scope of affected chipsets is very broad, spanning over 130 Qualcomm products including the Snapdragon 8 Gen 1 and Gen 2, Snapdragon 888/865/870 families, FastConnect 6200/6700/6800/6900/7800 Wi-Fi and Bluetooth controllers, automotive platforms (SA8155P, SA8295P, SA9000P), and various QCA series networking chipsets. The Qualcomm bulletin explicitly notes that "the list of affected chipsets may not be complete" and directs device OEMs to contact Qualcomm for definitive status.
No workarounds are available. Remediation depends entirely on OEM patch deployment.
Affected Systems and Versions
The vulnerability affects Qualcomm's HLOS component across a broad range of chipset families. The Qualcomm June 2026 Security Bulletin lists over 130 affected products, with the caveat that the list may not be complete. Known affected chipset families include:
FastConnect Series
- FastConnect 6200
- FastConnect 6700
- FastConnect 6800
- FastConnect 6900
- FastConnect 7800
Snapdragon Mobile Platforms
- Snapdragon 8 Gen 1
- Snapdragon 8 Gen 2
- Snapdragon 888
- Snapdragon 865
- Snapdragon 870
- Multiple additional Snapdragon mobile platforms across tiers
Snapdragon Compute Platforms
- Multiple laptop and desktop platforms
Automotive Platforms
- SA8155P
- SA8295P
- SA9000P
Networking and Audio
- Various QCA series networking chipsets
- Various audio and WSA subsystem components
Any Android device reporting a security patch level earlier than 2026-06-05 on an affected chipset should be considered vulnerable.
Vendor Security History
Qualcomm's security track record reveals a recurring pattern of memory corruption vulnerabilities in its proprietary firmware, several of which were confirmed as exploited in the wild before patches reached end users.
CVE-2024-43047 was a use-after-free vulnerability in the DSP service that Qualcomm acknowledged "may have been under limited, targeted exploitation." This vulnerability was historically weaponized in spyware attacks targeting journalists and dissidents, with links to commercial surveillance vendors.
CVE-2026-21385 was an integer overflow leading to memory corruption in the graphics subcomponent, affecting 235 chipsets. Google confirmed it was exploited in targeted Android attacks, and CISA added it to the Known Exploited Vulnerabilities catalog on March 3, 2026, mandating federal agencies to patch by March 24, 2026.
The "limited, targeted" phrasing used consistently by Google and Qualcomm for these exploited vulnerabilities indicates exploitation by sophisticated actors, typically nation-state groups or commercial spyware vendors, against high-value targets.
The June 2026 bulletin containing CVE-2025-59605 also includes multiple other CWE-787 classified vulnerabilities across different Qualcomm components, reinforcing that insufficient bounds checking remains a systemic challenge in the company's large C/C++ embedded codebase. While Qualcomm's disclosure process is systematic and well-structured, the underlying code continues to produce memory safety vulnerabilities at a notable rate.
A key operational concern is the patch fragmentation inherent in Qualcomm's ecosystem. Qualcomm does not deliver patches directly to end users. The OEM-mediated patch pipeline introduces variable delays, with some manufacturers patching within weeks and others never deploying updates for older device models. This fragmentation represents the single largest operational risk in responding to Qualcomm chipset vulnerabilities.
References
- NVD: CVE-2025-59605
- Qualcomm June 2026 Security Bulletin
- Android Security Bulletin: June 2026
- Android Security Bulletin: June 2026 (XR)
- Qualcomm Product Security
- CWE-787: Out-of-Bounds Write
- CISA Known Exploited Vulnerabilities Catalog
- CVE-2026-21385: Google Patches Qualcomm Zero-Day Exploited in Targeted Attacks
- High-Severity Zero-Day Vulnerability in Qualcomm Chips Actively Exploited
- Android Security Bulletin: March 2026
- Smartphone SoC Market Research Report



