ZeroPath at Black Hat USA 2026

Quick Look: CVE-2026-25277 — Qualcomm Secure Processor StrongBox Buffer Overflow Threatens Hardware Backed Key Storage

A brief summary of CVE-2026-25277, a critical buffer overflow in Qualcomm's Secure Processor StrongBox subsystem affecting 50+ chipsets. Includes patch details, affected platforms, and threat intelligence context.

CVE Analysis

10 min read

ZeroPath CVE Analysis
ZeroPath CVE Analysis

2026-06-01

Quick Look: CVE-2026-25277 — Qualcomm Secure Processor StrongBox Buffer Overflow Threatens Hardware Backed Key Storage
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

A classic buffer overflow in Qualcomm's Secure Processing Unit, the hardware root of trust for Android's StrongBox Keymaster, puts hardware-backed cryptographic keys at risk across more than 50 chipsets powering flagship smartphones, AR/VR headsets, and IoT devices. CVE-2026-25277 carries a CVSS 8.8 score with a Scope Changed designation, meaning successful exploitation of this isolated secure element can break its security boundary and compromise the broader Android system, undermining the very isolation guarantee the SPU was designed to provide.

The timing adds urgency: just three months ago, a similar Qualcomm firmware buffer overflow (CVE-2026-21385) was confirmed exploited in targeted Android attacks, establishing a clear pattern of real world interest in this class of vulnerability from sophisticated threat actors.

Technical Information

Root Cause: CWE-120 in the Secure Processor

CVE-2026-25277 is classified under CWE-120: Buffer Copy Without Checking Size of Input. The Qualcomm June 2026 Security Bulletin titles it "Buffer Copy Without Checking Size of Input in Secure Processor" and describes the flaw as "Memory corruption while using Strongbox due to buffer overflow." The root cause is straightforward: data is copied into a buffer within the SPU's StrongBox firmware without verifying that the input size does not exceed the buffer's allocated capacity. When oversized input is provided, adjacent memory is overwritten, resulting in memory corruption.

Understanding the Attack Surface: Qualcomm SPU and StrongBox

The Qualcomm Secure Processing Unit (SPU) is an on-die secure element integrated directly into Snapdragon SoCs. It operates as a physically isolated execution environment, separate from the main application processor, and is designed to run High Assurance Applications that previously required external discrete security chips. The SPU serves as the hardware foundation for Android's StrongBox Keymaster implementation, a hardware-backed keystore that manages:

  • Generation, storage, and use of cryptographic keys
  • Biometric authentication credentials
  • File-based encryption keys
  • Payment credential protection

The SPU has been certified to Common Criteria EAL-4+ (approved by the German Federal Office for Information Security) and submitted to the NIST Cryptographic Module Validation Program under FIPS 140-2. The presence of a classic buffer overflow in this certified component is a notable reminder that formal evaluation assesses design and process rigor, not the absence of every possible implementation flaw.

CVSS Vector Breakdown

The full CVSS v3.1 vector is CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H, which breaks down as follows:

CVSS MetricValueInterpretation
Attack Vector (AV)LocalAttacker needs local access to the device
Attack Complexity (AC)LowNo special conditions required for exploitation
Privileges Required (PR)LowA standard unprivileged app is sufficient
User Interaction (UI)NoneNo user action needed
Scope (S)ChangedImpact crosses the SPU isolation boundary into the Android OS
Confidentiality (C)HighComplete information disclosure possible
Integrity (I)HighComplete system integrity compromise possible
Availability (A)HighComplete denial of service possible

The Scope Changed designation is the most consequential element here. The entire purpose of the SPU is to maintain a hardware isolation boundary. A vulnerability that crosses that boundary inverts the security model: instead of the SPU protecting secrets from a compromised OS, the SPU itself becomes the vector through which the OS is further compromised.

Exploitation Flow

Based on the available technical data, a plausible exploitation chain would proceed as follows:

  1. Initial access: An attacker achieves low-privilege local access on the target device, for example through a malicious application installed via social engineering or a supply chain compromise.

  2. Trigger the overflow: The malicious application sends a crafted input to the StrongBox Keymaster interface that exceeds the expected buffer size. The specific API call or ioctl that triggers the overflow has not been publicly disclosed.

  3. Memory corruption: Because the SPU firmware does not validate the input size before copying (CWE-120), the overflow corrupts adjacent memory within the SPU.

  4. Boundary escape: Given the Scope Changed impact rating, the memory corruption can be leveraged to escape the SPU's isolation boundary, potentially allowing the attacker to extract confidential key material, modify system integrity, or cause denial of service conditions.

No proof-of-concept exploit code has been publicly disclosed. Several technical details remain unknown, including the specific buffer size and overflow boundary, whether the overflow is stack-based or heap-based within the SPU, and the precise firmware versions where the fix was applied.

Sibling Vulnerability: CVE-2026-25276

It is worth noting that CVE-2026-25276, a sibling vulnerability affecting StrongBox on the exact same chipset list, was disclosed in the same bulletin. While CVE-2026-25276 is an array index validation issue (CWE-129: Improper Validation of Array Index), CVE-2026-25277 specifically addresses a buffer copy without bounds checking. Both carry identical CVSS 3.1 scores of 8.8 and identical vectors, suggesting they were likely addressed in a coordinated StrongBox firmware update targeting multiple related memory safety issues in the same code path.

Patch Information

CVE-2026-25277 has been patched, though the fix lives entirely within Qualcomm's closed-source firmware. There is no publicly accessible source code commit or diff to inspect. Because StrongBox operates at the hardware trust boundary, the corrective code is proprietary and distributed exclusively through Qualcomm's OEM patch channel.

According to the Qualcomm June 2026 Security Bulletin, OEMs were notified on 2026-04-06, nearly two months before public disclosure. The bulletin states that patches are "being actively shared with OEMs, who have been notified and strongly recommended to deploy those patches on released devices as soon as possible."

On the Android side, the Android Security Bulletin for June 2026 lists CVE-2026-25277 under the "Qualcomm closed-source components" section with a severity rating of Critical. It is tracked as Android bug A-500022443, with an asterisk denoting that the issue is not publicly available and the update is generally contained in the latest binary drivers for Pixel devices available from the Google Developer site. Devices running security patch level 2026-06-05 or later include the fix.

Because the Secure Processor firmware is delivered as a signed binary blob, end users cannot apply the fix independently. It must arrive through an OEM firmware or Android system update that incorporates the corrected Qualcomm binary. For Pixel devices, this means the June 2026 factory image or OTA. For other Android vendors, the timeline depends on each manufacturer's integration and release cycle.

Key patching actions for organizations:

PriorityActionRationale
ImmediateCheck with device OEMs for available patches for all affected Qualcomm-based devicesQualcomm has provided patches to OEMs but deployment timelines vary by manufacturer
ImmediatePrioritize patching of devices handling sensitive data (payment, authentication, healthcare)StrongBox protects cryptographic keys; compromise of these devices has the highest impact
Short-termRestrict installation of untrusted applications on affected devices in enterprise environmentsLow-privilege local access is required; reducing app installation reduces attack surface
OngoingMonitor Qualcomm security bulletins and CISA KEV updates for emerging threat intelligenceActive exploitation status may change

No workaround or configuration change that addresses the root cause without patching was identified. The vulnerability resides in SPU firmware, which cannot be disabled without breaking core Android security functionality including Keymaster, Gatekeeper, biometric authentication, and file-based encryption.

Affected Systems and Versions

The vulnerability affects over 50 Qualcomm chipsets and platforms. The following are the named affected platforms from the Qualcomm June 2026 Security Bulletin:

Flagship Mobile Platforms:

  • Snapdragon 8 Elite
  • Snapdragon 8 Elite Gen 5
  • Snapdragon 8 Gen 2
  • Snapdragon 8+ Gen 2
  • Snapdragon 8 Gen 3

Connectivity Components:

  • FastConnect 6700
  • FastConnect 6800
  • FastConnect 6900
  • FastConnect 7800

Audio Codecs:

  • WCD93xx series
  • WSA88xx series

The affected platforms span flagship smartphones, AR/VR headsets, and IoT devices. The vulnerability is in the Secure Processor component (StrongBox subsystem), and the affected component is proprietary closed-source firmware.

Android Patch Level: Devices running security patch level 2026-06-05 or later include the fix. The Android Security Bulletin tracks this as bug A-500022443 under Qualcomm closed-source components.

Vendor Security History

Qualcomm has a mixed but transparent security track record. The company publishes monthly security bulletins and maintains a dedicated product security team. The June 2026 bulletin alone addresses 24 CVEs across Critical, High, and Moderate severity levels.

However, Qualcomm components have been the target of confirmed in-the-wild exploitation:

  • CVE-2026-21385 (March 2026): A buffer overflow in Qualcomm SM7675P firmware was confirmed exploited in targeted Android attacks. Google's Android Security Bulletin warned of indications it "may be under limited, targeted exploitation." That same month, Google's security update contained the highest number of Android vulnerabilities patched in a single month since April 2018.

  • CVE-2024-43047 (2024): A Qualcomm DSP vulnerability flagged as possibly exploited by Google and Amnesty International.

  • CVE-2025-48651 (April 2026): A separate StrongBox vulnerability patched at high severity, affecting StrongBox implementations from Google, NXP, STMicroelectronics, and Thales, demonstrating that StrongBox vulnerabilities are not unique to Qualcomm.

The internal discovery of CVE-2026-25277 and the two-month lead time given to OEMs before public disclosure reflects responsible vulnerability management. The EAL-4+ certification and NIST CMVP validation of the SPU demonstrate investment in formal security assurance, even as the presence of a CWE-120 buffer overflow in this certified component illustrates the gap between certification and implementation correctness.

References

Detect & fix
what others miss

Works with
  • GitHub
  • GitLab
  • Bitbucket
  • Azure DevOps Services
  • Jira
  • Linear
  • Slack
  • Security Compass
Security magnifying glass visualization