ZeroPath at Black Hat USA 2026

Quick Look: CVE-2026-25276, Qualcomm StrongBox Bounds Check Bypass Threatens Hardware Root of Trust

A brief summary of CVE-2026-25276, a critical memory corruption vulnerability in Qualcomm's StrongBox Secure Processor caused by a missing array index bounds check. Patch information and affected chipset details are included.

CVE Analysis

12 min read

ZeroPath CVE Analysis
ZeroPath CVE Analysis

2026-06-01

Quick Look: CVE-2026-25276, Qualcomm StrongBox Bounds Check Bypass Threatens Hardware Root of Trust
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

A missing bounds check in Qualcomm's StrongBox Secure Processor firmware means that the very component designed to be the hardware root of trust on Android devices can be turned against them. CVE-2026-25276 carries a CVSS 8.8 Critical rating with a Scope Changed designation, indicating that exploitation within the isolated Secure Processing Unit can propagate impact into the host Android operating system, undermining the fundamental security boundary that StrongBox exists to enforce.

The vulnerability affects a sprawling list of over 40 Qualcomm chipsets, from current flagships like the Snapdragon 8 Elite down to legacy platforms like the Snapdragon 865 5G, along with connectivity, audio, and industrial components. Given Qualcomm's approximately 24.7% share of the global smartphone chipset market and its dominance in the premium Android segment, the potential blast radius spans hundreds of millions of devices across dozens of OEMs.

Technical Information

Root Cause: CWE-129 in the Secure Processor

CVE-2026-25276 is classified under CWE-129: Improper Validation of Array Index, which MITRE defines as occurring when "the product uses untrusted input when calculating or using an array index, but the product does not validate or incorrectly validates the index." In this case, the StrongBox firmware within Qualcomm's Secure Processing Unit (SPU) fails to validate an array index before using it, allowing an out of bounds memory access that results in memory corruption.

Understanding StrongBox and the SPU

StrongBox is Android's implementation of a hardware backed keystore, provided through the StrongBox KeyMint (previously Keymaster) interface. It is backed by a dedicated secure element: a separate, isolated microprocessor within the device designed to provide a highly secure environment for storing sensitive data and executing cryptographic operations. On Qualcomm Snapdragon platforms, StrongBox is implemented within the Qualcomm Secure Processing Unit (SPU), which provides hardware isolated security separate from the main application processor and the Trusted Execution Environment (TEE). The SPU handles cryptographic key generation, storage, and operations including attestation, signing, and encryption.

This architectural context is critical for understanding the severity. A memory corruption bug in a regular application is one thing. A memory corruption bug in the component that guards every hardware backed cryptographic key on the device is categorically different.

CVSS Vector Breakdown

The full CVSS v3.1 vector is CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H, scoring 8.8:

MetricValueImplication
Attack VectorLocal (AV:L)Attacker needs local access to the device
Attack ComplexityLow (AC:L)Exploitation requires no special conditions
Privileges RequiredLow (PR:L)Only low privilege access is needed
User InteractionNone (UI:N)No user interaction required
ScopeChanged (S:C)Impact escapes the vulnerable component's security scope
ConfidentialityHigh (C:H)Total information disclosure possible
IntegrityHigh (I:H)Total system integrity compromise possible
AvailabilityHigh (A:H)Total availability disruption possible

The Scope Changed (S:C) designation deserves particular attention. It indicates that the vulnerability's impact crosses a trust boundary: exploitation within the Secure Processor (a separate security authority) can compromise resources governed by the host Android OS. A local attacker who exploits this StrongBox flaw can potentially escalate from the isolated secure world into the rich execution environment.

Attack Flow

Based on the CWE-129 classification and the vulnerability description, the exploitation pathway follows these steps:

  1. Initial Access: The attacker obtains local access to the device. This could be achieved through a malicious application, physical access, or a prior compromise. Low privileges are sufficient (PR:L), meaning the attacker does not need root or administrative access.

  2. Index Manipulation: The attacker supplies or influences an array index value that is passed into StrongBox without proper bounds validation. Given that StrongBox processes cryptographic operations, the index may relate to key slot selection, operation dispatch tables, or internal buffer management within the SPU.

  3. Memory Corruption: The unchecked index causes an out of bounds memory access within the Secure Processor, resulting in memory corruption. Depending on whether the out of bounds access is a read or write, this could lead to information disclosure, arbitrary code execution within the SPU, or both.

  4. Scope Escalation: Because the SPU shares certain interfaces and data with the host OS (key material, attestation responses, cryptographic operation results), corrupting SPU memory can propagate impact to the Android OS. This could enable extraction of cryptographic keys, forgery of attestation certificates, or bypass of hardware backed security guarantees.

No user interaction is required (UI:N), and attack complexity is low (AC:L), indicating that once local access is obtained, exploitation is straightforward and reliable.

Companion Vulnerability: CVE-2026-25277

The same Qualcomm June 2026 bulletin discloses CVE-2026-25277, a second Critical vulnerability in the Secure Processor StrongBox component with an identical CVSS score of 8.8 and the same affected chipset list. Unlike CVE-2026-25276 (CWE-129, missing bounds check), CVE-2026-25277 is a buffer overflow classified under CWE-120: Buffer Copy Without Checking Size of Input. The co-occurrence of two Critical StrongBox vulnerabilities with different root causes in the same patch cycle suggests a broader systemic deficiency in StrongBox input validation practices. Two distinct input validation failures in the same component point to a pattern rather than an isolated coding error, and addressing only the specific code paths in each CVE may leave analogous unreported weaknesses in adjacent code.

Patch Information

CVE-2026-25276 has been addressed by Qualcomm and acknowledged in both the Qualcomm June 2026 Security Bulletin and the Android Security Bulletin for June 2026, published on June 1, 2026.

This is a closed source proprietary fix. There is no publicly available source code commit or code diff to inspect. Because the vulnerability resides inside Qualcomm's proprietary Secure Processor firmware, the fix is not delivered through AOSP source code patches. Instead, it is distributed as an updated binary driver to OEMs. In the Android Security Bulletin, the entry is marked with an asterisk (*) next to its Android bug reference A-500022090, which Google uses to denote that the update is contained in the latest proprietary binary drivers. For Pixel devices, these are available from the Google Developer site.

The patch is gated behind the 2026-06-05 Android security patch level. Any device reporting a security patch level of 2026-06-05 or later has incorporated the fix. Qualcomm notified OEM customers about this vulnerability on April 6, 2026, giving partners roughly two months of lead time before the public bulletin.

The vulnerability was discovered internally by Qualcomm (the "Date Reported" field reads "Internal"), meaning it was not reported by an external researcher. The Qualcomm bulletin explicitly states that patches are being actively shared with OEMs and that they are "strongly recommended to deploy those patches on released devices as soon as possible."

Organizations should verify that all Qualcomm powered Android devices in their fleet are running at least the 2026-06-05 patch level. Because CVE-2026-25276 and CVE-2026-25277 both affect the same StrongBox component with the same CVSS score and affected chipset list, confirm that applied patches address both vulnerabilities simultaneously.

Affected Systems and Versions

The following chipsets are confirmed affected by CVE-2026-25276 per the Qualcomm June 2026 Security Bulletin:

Flagship Mobile Platforms

  • Snapdragon 8 Gen 2
  • Snapdragon 8 Gen 3
  • Snapdragon 8+ Gen 2
  • Snapdragon 8 Elite
  • Snapdragon 8 Elite Gen 5

Legacy Flagship Platforms

  • Snapdragon 865 5G
  • Snapdragon 865+ 5G
  • Snapdragon 870 5G
  • SD865 5G

Mid Range Mobile

  • Snapdragon 460
  • Snapdragon 662

AR/VR Platforms

  • Snapdragon AR1 Gen 1
  • Snapdragon XR2 5G
  • Snapdragon XR2+ Gen 1

Connectivity

  • FastConnect 6700, 6800, 6900, 7800
  • QCA6391, QCA6698AU, QCA6797AQ

Modem

  • Snapdragon X55 5G Modem RF System

Audio Components

  • WCD9370, WCD9375, WCD9380, WCD9385, WCD9390, WCD9395
  • WSA8810, WSA8815, WSA8830, WSA8832, WSA8835, WSA8840, WSA8845, WSA8845H

Industrial/IoT

  • QCM5430, QCM6490, QCM8838
  • QCN9011, QCN9012
  • QCS8550, CQ8750M
  • G3x Gen 2, Pandeiro

Video Collaboration

  • Qualcomm Video Collaboration VC3 Platform

This breadth of affected components, spanning flagship and mid range mobile platforms, AR/VR headsets, connectivity modules, audio codecs, and industrial chipsets, indicates the StrongBox implementation is shared across Qualcomm's product portfolio.

Vendor Security History

Qualcomm's recent security track record reveals a pattern of critical vulnerabilities in core platform components:

VulnerabilityDateSeverityStatusDetail
CVE-2026-25276June 2026Critical (8.8)PatchedMissing bounds check in StrongBox Secure Processor
CVE-2026-25277June 2026Critical (8.8)PatchedBuffer overflow in StrongBox Secure Processor
CVE-2026-21385March 2026CriticalActively exploitedMemory corruption in Qualcomm display, 234 chipsets affected
CVE-2025-48651PriorHighPatchedStrongBox vulnerability enabling key extraction
CVE-2026-25258/25259June 2026HighPatchedOut of bounds read/write in DSP Service

The March 2026 zero day CVE-2026-21385 is particularly relevant context. Google's Threat Analysis Group (TAG) discovered it and confirmed it was under "limited, targeted exploitation," affecting 234 chipsets. Google released patches for 129 Android vulnerabilities including this actively exploited Qualcomm flaw. TAG's involvement signals that the exploitation was likely linked to targeted surveillance operations rather than opportunistic criminal activity.

The previous StrongBox vulnerability CVE-2025-48651 was reported by SecurityWeek as having the potential to allow attackers to extract cryptographic keys from the Qualcomm Secure Execution Environment. This establishes a precedent for StrongBox flaws enabling key extraction, which raises the assessed impact of CVE-2026-25276.

Google's 2025 Zero Day Review documents a broader trend of commercial surveillance vendors and nation state actors stockpiling and deploying zero days against mobile targets, with Android chipsets being a frequent target category. Zero day vulnerabilities in mobile platforms, particularly those affecting chipsets and firmware, are increasingly valuable to threat actors because they provide reliable, persistent access that is difficult to detect and mitigate at the OS level.

References

Detect & fix
what others miss

Works with
  • GitHub
  • GitLab
  • Bitbucket
  • Azure DevOps Services
  • Jira
  • Linear
  • Slack
  • Security Compass
Security magnifying glass visualization