ZeroPath at Black Hat USA 2026

Qualcomm CVE-2026-24090: Brief Summary of a Boot Flow Cryptographic Bypass Affecting Dozens of Snapdragon Chipsets

A brief summary of CVE-2026-24090, a high severity cryptographic authentication bypass in Qualcomm's Application Bootloader that allows local attackers to modify the boot flow on a wide range of Snapdragon chipsets.

CVE Analysis

10 min read

ZeroPath CVE Analysis
ZeroPath CVE Analysis

2026-06-01

Qualcomm CVE-2026-24090: Brief Summary of a Boot Flow Cryptographic Bypass Affecting Dozens of Snapdragon Chipsets
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

A missing cryptographic authentication check in Qualcomm's Application Bootloader allows a locally authenticated attacker to tamper with partition table entries and redirect the device boot flow, potentially loading unauthorized code on dozens of Snapdragon chipset families. Disclosed in the Qualcomm June 2026 security bulletin and carrying a CVSS score of 7.1, CVE-2026-24090 affects a broad swath of premium mobile, AR/XR, wearable, and automotive platforms, and it arrives in a threat landscape where Qualcomm boot chain vulnerabilities have already been confirmed exploited in targeted attacks.

Technical Information

Root Cause: Missing Authentication in Partition Table Processing

CVE-2026-24090 resides in Qualcomm's Application Bootloader (ABL), which is built on the tianocore/edk2 UEFI framework and operates within the HLOS (High Level Operating System) technology area. The vulnerability is classified under CWE-306: Missing Authentication for Critical Function, defined by MITRE as occurring when "the product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources."

During device boot, the ABL processes partition table entries to determine which boot components to load. It uses the EDK2 GetBlkIOHandles function to scan the GUID Partition Table (GPT) for partitions bearing specific ASCII labels. When a viable EFI System Partition is located, the ABL reads the raw block device contents and submits them to the standard gBS->LoadImage() UEFI service. The critical flaw is that no cryptographic authentication check is performed on the partition table entries before the boot flow commits to loading the identified components.

This means an attacker with local device access and only basic user privileges can modify partition table entries to redirect the boot flow, causing the ABL to load unauthorized code instead of the legitimate boot components.

CVSS Vector Breakdown

The CVSS v3.1 vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N tells a specific story about the attack profile:

CVSS ComponentValueInterpretation
Attack Vector (AV)LocalAttacker needs local device access
Attack Complexity (AC)LowMinimal specialized knowledge required
Privileges Required (PR)LowBasic user privileges sufficient
User Interaction (UI)NoneNo user action needed beyond initial access
Scope (S)UnchangedImpact confined to the vulnerable component
Confidentiality (C)HighTotal information disclosure possible
Integrity (I)HighTotal system integrity compromise possible
Availability (A)NoneNo direct availability impact

The combination of local access with low privilege requirements means any application running on the device with basic permissions could potentially trigger exploitation. The high confidentiality and integrity impacts with no availability impact is consistent with a boot flow modification scenario: an attacker can read and modify boot components while the device remains operational, making the compromise harder to detect.

Architectural Context: UEFI Platform Key Failures

Related technical analysis of a Qualcomm bootchain vulnerability on the Snapdragon 8 Elite Gen 5 provides important architectural context. Researchers demonstrated that OEMs shipped retail devices with the UEFI Platform Key (PK) entirely unpopulated in Authenticated Variable Storage. This forces the EDK2 AuthVariableLib to transition the firmware from User Mode into an unauthenticated Setup Mode, where the DxeImageVerificationLib handler completely bypasses all Authenticode and RSA signature checks.

While that analysis addresses a different CVE, it illustrates the same architectural failure pattern that underlies CVE-2026-24090: cryptographic verification is missing during partition processing in the boot chain. The existence of a demonstrated, complete exploit chain against the same class of vulnerability on the same platform family elevates the practical risk of CVE-2026-24090.

Sibling Vulnerability: CVE-2026-24088

The same June 2026 Qualcomm security bulletin includes CVE-2026-24088, a related but higher severity vulnerability also classified under CWE-306. CVE-2026-24088 carries a CVSS score of 8.2 and is described as a "Cryptographic Issue while processing a specific partition which allows unauthorized write access to load a customized bootloader."

AttributeCVE-2026-24090CVE-2026-24088
CVSS Score7.18.2
Technology AreaHLOSBoot
CWECWE-306CWE-306
Description FocusPartition table entries; boot flow modificationSpecific partition; unauthorized bootloader write
Date Reported2025/12/152026/01/18
ReporterVoidTatoNot specified

Both vulnerabilities share the same root cause and should be treated as a coupled patch requirement. Addressing one without the other leaves an adjacent attack path open.

OEM Notification and Patch Latency

Qualcomm patched the issue in the ABL (tianocore/edk2) repository and notified OEMs on March 2, 2026. However, the NVD published the record only on June 1, 2026, creating a roughly three month window where OEMs had the patch but end users likely did not. The NVD entry still states "NVD assessment not yet provided" with no CVSS score assigned by NIST, so organizations should rely on the Qualcomm assigned CVSS 7.1 score for severity triage.

Affected Systems and Versions

The Qualcomm June 2026 bulletin lists the following chipset families as potentially affected. The bulletin explicitly notes that "the list of affected chipsets may not be complete":

Snapdragon Mobile: Snapdragon 4 Gen 1, Snapdragon 4 Gen 2, Snapdragon 460, Snapdragon 6 Gen 1, Snapdragon 6 Gen 3, Snapdragon 6 Gen 4, Snapdragon 662, Snapdragon 7 Gen 4, Snapdragon 7s Gen 3, Snapdragon 8 Elite, Snapdragon 8 Elite Gen 5, Snapdragon 8 Gen 2, Snapdragon 8 Gen 3, Snapdragon 8+ Gen 2

Snapdragon AR/XR: AR1 Gen 1, AR1+ Gen 1, XR2 Gen 1, XR2+ Gen 1

Snapdragon Wear: Wear Elite

FastConnect: FastConnect 6200, FastConnect 6700, FastConnect 6900, FastConnect 7800

Qualcomm Video Collaboration: VC1, VC3, VC5

Additional platforms: Various automotive and compute chipsets (specific model numbers listed in the Qualcomm bulletin)

The vulnerability affects the Application Bootloader (ABL) component built on the tianocore/edk2 UEFI framework. All devices using the affected ABL firmware on the listed chipsets should be considered vulnerable until the OEM firmware update is applied.

Vendor Security History

Qualcomm's boot chain and firmware have been a recurring focus for security researchers and threat actors:

CVE-2026-21385 was a Qualcomm zero day confirmed exploited in targeted Android attacks and added to the CISA Known Exploited Vulnerabilities catalog with an exploitation date of March 3, 2026. This confirms that Qualcomm boot and firmware vulnerabilities are actively targeted in the wild.

A bootchain zero day analysis published in March 2026 demonstrated a complete three stage autonomous exploit chain against the Snapdragon 8 Elite Gen 5, exploiting missing UEFI Platform Key enforcement to achieve permanent, undetectable bootloader unlock. The analysis revealed that OEMs shipped devices with unpopulated Platform Keys, effectively disabling UEFI Secure Boot.

Public proof of concept exploit code for Qualcomm bootchain vulnerabilities exists on platforms such as Sploitus, lowering the barrier for exploitation of similar weaknesses.

CVE-2026-24090 was reported to Qualcomm by security researcher "VoidTato" on December 15, 2025. The roughly 5.5 month disclosure timeline (December 2025 report to June 2026 publication) suggests Qualcomm followed a coordinated disclosure process, providing OEMs time to integrate the patch before public disclosure.

Qualcomm holds approximately 24.7% of global smartphone chipset shipments in 2026 and dominates the premium and flagship tiers. This means CVE-2026-24090 disproportionately affects high value enterprise and government mobile devices where flagship Snapdragon processors are standard.

References

Detect & fix
what others miss

Works with
  • GitHub
  • GitLab
  • Bitbucket
  • Azure DevOps Services
  • Jira
  • Linear
  • Slack
  • Security Compass
Security magnifying glass visualization