Introduction
A missing bounds check in Qualcomm's StrongBox Secure Processor firmware means that the very component designed to be the hardware root of trust on Android devices can be turned against them. CVE-2026-25276 carries a CVSS 8.8 Critical rating with a Scope Changed designation, indicating that exploitation within the isolated Secure Processing Unit can propagate impact into the host Android operating system, undermining the fundamental security boundary that StrongBox exists to enforce.
The vulnerability affects a sprawling list of over 40 Qualcomm chipsets, from current flagships like the Snapdragon 8 Elite down to legacy platforms like the Snapdragon 865 5G, along with connectivity, audio, and industrial components. Given Qualcomm's approximately 24.7% share of the global smartphone chipset market and its dominance in the premium Android segment, the potential blast radius spans hundreds of millions of devices across dozens of OEMs.
Technical Information
Root Cause: CWE-129 in the Secure Processor
CVE-2026-25276 is classified under CWE-129: Improper Validation of Array Index, which MITRE defines as occurring when "the product uses untrusted input when calculating or using an array index, but the product does not validate or incorrectly validates the index." In this case, the StrongBox firmware within Qualcomm's Secure Processing Unit (SPU) fails to validate an array index before using it, allowing an out of bounds memory access that results in memory corruption.
Understanding StrongBox and the SPU
StrongBox is Android's implementation of a hardware backed keystore, provided through the StrongBox KeyMint (previously Keymaster) interface. It is backed by a dedicated secure element: a separate, isolated microprocessor within the device designed to provide a highly secure environment for storing sensitive data and executing cryptographic operations. On Qualcomm Snapdragon platforms, StrongBox is implemented within the Qualcomm Secure Processing Unit (SPU), which provides hardware isolated security separate from the main application processor and the Trusted Execution Environment (TEE). The SPU handles cryptographic key generation, storage, and operations including attestation, signing, and encryption.
This architectural context is critical for understanding the severity. A memory corruption bug in a regular application is one thing. A memory corruption bug in the component that guards every hardware backed cryptographic key on the device is categorically different.
CVSS Vector Breakdown
The full CVSS v3.1 vector is CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H, scoring 8.8:
| Metric | Value | Implication |
|---|---|---|
| Attack Vector | Local (AV:L) | Attacker needs local access to the device |
| Attack Complexity | Low (AC:L) | Exploitation requires no special conditions |
| Privileges Required | Low (PR:L) | Only low privilege access is needed |
| User Interaction | None (UI:N) | No user interaction required |
| Scope | Changed (S:C) | Impact escapes the vulnerable component's security scope |
| Confidentiality | High (C:H) | Total information disclosure possible |
| Integrity | High (I:H) | Total system integrity compromise possible |
| Availability | High (A:H) | Total availability disruption possible |
The Scope Changed (S:C) designation deserves particular attention. It indicates that the vulnerability's impact crosses a trust boundary: exploitation within the Secure Processor (a separate security authority) can compromise resources governed by the host Android OS. A local attacker who exploits this StrongBox flaw can potentially escalate from the isolated secure world into the rich execution environment.
Attack Flow
Based on the CWE-129 classification and the vulnerability description, the exploitation pathway follows these steps:
-
Initial Access: The attacker obtains local access to the device. This could be achieved through a malicious application, physical access, or a prior compromise. Low privileges are sufficient (PR:L), meaning the attacker does not need root or administrative access.
-
Index Manipulation: The attacker supplies or influences an array index value that is passed into StrongBox without proper bounds validation. Given that StrongBox processes cryptographic operations, the index may relate to key slot selection, operation dispatch tables, or internal buffer management within the SPU.
-
Memory Corruption: The unchecked index causes an out of bounds memory access within the Secure Processor, resulting in memory corruption. Depending on whether the out of bounds access is a read or write, this could lead to information disclosure, arbitrary code execution within the SPU, or both.
-
Scope Escalation: Because the SPU shares certain interfaces and data with the host OS (key material, attestation responses, cryptographic operation results), corrupting SPU memory can propagate impact to the Android OS. This could enable extraction of cryptographic keys, forgery of attestation certificates, or bypass of hardware backed security guarantees.
No user interaction is required (UI:N), and attack complexity is low (AC:L), indicating that once local access is obtained, exploitation is straightforward and reliable.
Companion Vulnerability: CVE-2026-25277
The same Qualcomm June 2026 bulletin discloses CVE-2026-25277, a second Critical vulnerability in the Secure Processor StrongBox component with an identical CVSS score of 8.8 and the same affected chipset list. Unlike CVE-2026-25276 (CWE-129, missing bounds check), CVE-2026-25277 is a buffer overflow classified under CWE-120: Buffer Copy Without Checking Size of Input. The co-occurrence of two Critical StrongBox vulnerabilities with different root causes in the same patch cycle suggests a broader systemic deficiency in StrongBox input validation practices. Two distinct input validation failures in the same component point to a pattern rather than an isolated coding error, and addressing only the specific code paths in each CVE may leave analogous unreported weaknesses in adjacent code.
Patch Information
CVE-2026-25276 has been addressed by Qualcomm and acknowledged in both the Qualcomm June 2026 Security Bulletin and the Android Security Bulletin for June 2026, published on June 1, 2026.
This is a closed source proprietary fix. There is no publicly available source code commit or code diff to inspect. Because the vulnerability resides inside Qualcomm's proprietary Secure Processor firmware, the fix is not delivered through AOSP source code patches. Instead, it is distributed as an updated binary driver to OEMs. In the Android Security Bulletin, the entry is marked with an asterisk (*) next to its Android bug reference A-500022090, which Google uses to denote that the update is contained in the latest proprietary binary drivers. For Pixel devices, these are available from the Google Developer site.
The patch is gated behind the 2026-06-05 Android security patch level. Any device reporting a security patch level of 2026-06-05 or later has incorporated the fix. Qualcomm notified OEM customers about this vulnerability on April 6, 2026, giving partners roughly two months of lead time before the public bulletin.
The vulnerability was discovered internally by Qualcomm (the "Date Reported" field reads "Internal"), meaning it was not reported by an external researcher. The Qualcomm bulletin explicitly states that patches are being actively shared with OEMs and that they are "strongly recommended to deploy those patches on released devices as soon as possible."
Organizations should verify that all Qualcomm powered Android devices in their fleet are running at least the 2026-06-05 patch level. Because CVE-2026-25276 and CVE-2026-25277 both affect the same StrongBox component with the same CVSS score and affected chipset list, confirm that applied patches address both vulnerabilities simultaneously.
Affected Systems and Versions
The following chipsets are confirmed affected by CVE-2026-25276 per the Qualcomm June 2026 Security Bulletin:
Flagship Mobile Platforms
- Snapdragon 8 Gen 2
- Snapdragon 8 Gen 3
- Snapdragon 8+ Gen 2
- Snapdragon 8 Elite
- Snapdragon 8 Elite Gen 5
Legacy Flagship Platforms
- Snapdragon 865 5G
- Snapdragon 865+ 5G
- Snapdragon 870 5G
- SD865 5G
Mid Range Mobile
- Snapdragon 460
- Snapdragon 662
AR/VR Platforms
- Snapdragon AR1 Gen 1
- Snapdragon XR2 5G
- Snapdragon XR2+ Gen 1
Connectivity
- FastConnect 6700, 6800, 6900, 7800
- QCA6391, QCA6698AU, QCA6797AQ
Modem
- Snapdragon X55 5G Modem RF System
Audio Components
- WCD9370, WCD9375, WCD9380, WCD9385, WCD9390, WCD9395
- WSA8810, WSA8815, WSA8830, WSA8832, WSA8835, WSA8840, WSA8845, WSA8845H
Industrial/IoT
- QCM5430, QCM6490, QCM8838
- QCN9011, QCN9012
- QCS8550, CQ8750M
- G3x Gen 2, Pandeiro
Video Collaboration
- Qualcomm Video Collaboration VC3 Platform
This breadth of affected components, spanning flagship and mid range mobile platforms, AR/VR headsets, connectivity modules, audio codecs, and industrial chipsets, indicates the StrongBox implementation is shared across Qualcomm's product portfolio.
Vendor Security History
Qualcomm's recent security track record reveals a pattern of critical vulnerabilities in core platform components:
| Vulnerability | Date | Severity | Status | Detail |
|---|---|---|---|---|
| CVE-2026-25276 | June 2026 | Critical (8.8) | Patched | Missing bounds check in StrongBox Secure Processor |
| CVE-2026-25277 | June 2026 | Critical (8.8) | Patched | Buffer overflow in StrongBox Secure Processor |
| CVE-2026-21385 | March 2026 | Critical | Actively exploited | Memory corruption in Qualcomm display, 234 chipsets affected |
| CVE-2025-48651 | Prior | High | Patched | StrongBox vulnerability enabling key extraction |
| CVE-2026-25258/25259 | June 2026 | High | Patched | Out of bounds read/write in DSP Service |
The March 2026 zero day CVE-2026-21385 is particularly relevant context. Google's Threat Analysis Group (TAG) discovered it and confirmed it was under "limited, targeted exploitation," affecting 234 chipsets. Google released patches for 129 Android vulnerabilities including this actively exploited Qualcomm flaw. TAG's involvement signals that the exploitation was likely linked to targeted surveillance operations rather than opportunistic criminal activity.
The previous StrongBox vulnerability CVE-2025-48651 was reported by SecurityWeek as having the potential to allow attackers to extract cryptographic keys from the Qualcomm Secure Execution Environment. This establishes a precedent for StrongBox flaws enabling key extraction, which raises the assessed impact of CVE-2026-25276.
Google's 2025 Zero Day Review documents a broader trend of commercial surveillance vendors and nation state actors stockpiling and deploying zero days against mobile targets, with Android chipsets being a frequent target category. Zero day vulnerabilities in mobile platforms, particularly those affecting chipsets and firmware, are increasingly valuable to threat actors because they provide reliable, persistent access that is difficult to detect and mitigate at the OS level.
References
- Qualcomm June 2026 Security Bulletin
- Android Security Bulletin, June 2026
- CVE-2026-25276 NVD Entry
- CWE-129: Improper Validation of Array Index
- Android Hardware Security Best Practices
- Qualcomm: Guard Your Data with the Snapdragon Mobile Platform (PDF)
- Severe StrongBox Vulnerability Patched in Android, SecurityWeek
- CVE-2026-21385: Google Patches Qualcomm Zero Day Exploited, SOC Prime
- Google Addresses Actively Exploited Qualcomm Zero Day, CyberScoop
- Look What You Made Us Patch: 2025 Zero Days in Review, Google Cloud Blog
- MediaTek Estimated To Remain Global Smartphone Chipset Market Leader, WCCFTech
- Google Pixel Binary Drivers



