Introduction
A classic buffer overflow in Qualcomm's Secure Processing Unit, the hardware root of trust for Android's StrongBox Keymaster, puts hardware-backed cryptographic keys at risk across more than 50 chipsets powering flagship smartphones, AR/VR headsets, and IoT devices. CVE-2026-25277 carries a CVSS 8.8 score with a Scope Changed designation, meaning successful exploitation of this isolated secure element can break its security boundary and compromise the broader Android system, undermining the very isolation guarantee the SPU was designed to provide.
The timing adds urgency: just three months ago, a similar Qualcomm firmware buffer overflow (CVE-2026-21385) was confirmed exploited in targeted Android attacks, establishing a clear pattern of real world interest in this class of vulnerability from sophisticated threat actors.
Technical Information
Root Cause: CWE-120 in the Secure Processor
CVE-2026-25277 is classified under CWE-120: Buffer Copy Without Checking Size of Input. The Qualcomm June 2026 Security Bulletin titles it "Buffer Copy Without Checking Size of Input in Secure Processor" and describes the flaw as "Memory corruption while using Strongbox due to buffer overflow." The root cause is straightforward: data is copied into a buffer within the SPU's StrongBox firmware without verifying that the input size does not exceed the buffer's allocated capacity. When oversized input is provided, adjacent memory is overwritten, resulting in memory corruption.
Understanding the Attack Surface: Qualcomm SPU and StrongBox
The Qualcomm Secure Processing Unit (SPU) is an on-die secure element integrated directly into Snapdragon SoCs. It operates as a physically isolated execution environment, separate from the main application processor, and is designed to run High Assurance Applications that previously required external discrete security chips. The SPU serves as the hardware foundation for Android's StrongBox Keymaster implementation, a hardware-backed keystore that manages:
- Generation, storage, and use of cryptographic keys
- Biometric authentication credentials
- File-based encryption keys
- Payment credential protection
The SPU has been certified to Common Criteria EAL-4+ (approved by the German Federal Office for Information Security) and submitted to the NIST Cryptographic Module Validation Program under FIPS 140-2. The presence of a classic buffer overflow in this certified component is a notable reminder that formal evaluation assesses design and process rigor, not the absence of every possible implementation flaw.
CVSS Vector Breakdown
The full CVSS v3.1 vector is CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H, which breaks down as follows:
| CVSS Metric | Value | Interpretation |
|---|---|---|
| Attack Vector (AV) | Local | Attacker needs local access to the device |
| Attack Complexity (AC) | Low | No special conditions required for exploitation |
| Privileges Required (PR) | Low | A standard unprivileged app is sufficient |
| User Interaction (UI) | None | No user action needed |
| Scope (S) | Changed | Impact crosses the SPU isolation boundary into the Android OS |
| Confidentiality (C) | High | Complete information disclosure possible |
| Integrity (I) | High | Complete system integrity compromise possible |
| Availability (A) | High | Complete denial of service possible |
The Scope Changed designation is the most consequential element here. The entire purpose of the SPU is to maintain a hardware isolation boundary. A vulnerability that crosses that boundary inverts the security model: instead of the SPU protecting secrets from a compromised OS, the SPU itself becomes the vector through which the OS is further compromised.
Exploitation Flow
Based on the available technical data, a plausible exploitation chain would proceed as follows:
-
Initial access: An attacker achieves low-privilege local access on the target device, for example through a malicious application installed via social engineering or a supply chain compromise.
-
Trigger the overflow: The malicious application sends a crafted input to the StrongBox Keymaster interface that exceeds the expected buffer size. The specific API call or ioctl that triggers the overflow has not been publicly disclosed.
-
Memory corruption: Because the SPU firmware does not validate the input size before copying (CWE-120), the overflow corrupts adjacent memory within the SPU.
-
Boundary escape: Given the Scope Changed impact rating, the memory corruption can be leveraged to escape the SPU's isolation boundary, potentially allowing the attacker to extract confidential key material, modify system integrity, or cause denial of service conditions.
No proof-of-concept exploit code has been publicly disclosed. Several technical details remain unknown, including the specific buffer size and overflow boundary, whether the overflow is stack-based or heap-based within the SPU, and the precise firmware versions where the fix was applied.
Sibling Vulnerability: CVE-2026-25276
It is worth noting that CVE-2026-25276, a sibling vulnerability affecting StrongBox on the exact same chipset list, was disclosed in the same bulletin. While CVE-2026-25276 is an array index validation issue (CWE-129: Improper Validation of Array Index), CVE-2026-25277 specifically addresses a buffer copy without bounds checking. Both carry identical CVSS 3.1 scores of 8.8 and identical vectors, suggesting they were likely addressed in a coordinated StrongBox firmware update targeting multiple related memory safety issues in the same code path.
Patch Information
CVE-2026-25277 has been patched, though the fix lives entirely within Qualcomm's closed-source firmware. There is no publicly accessible source code commit or diff to inspect. Because StrongBox operates at the hardware trust boundary, the corrective code is proprietary and distributed exclusively through Qualcomm's OEM patch channel.
According to the Qualcomm June 2026 Security Bulletin, OEMs were notified on 2026-04-06, nearly two months before public disclosure. The bulletin states that patches are "being actively shared with OEMs, who have been notified and strongly recommended to deploy those patches on released devices as soon as possible."
On the Android side, the Android Security Bulletin for June 2026 lists CVE-2026-25277 under the "Qualcomm closed-source components" section with a severity rating of Critical. It is tracked as Android bug A-500022443, with an asterisk denoting that the issue is not publicly available and the update is generally contained in the latest binary drivers for Pixel devices available from the Google Developer site. Devices running security patch level 2026-06-05 or later include the fix.
Because the Secure Processor firmware is delivered as a signed binary blob, end users cannot apply the fix independently. It must arrive through an OEM firmware or Android system update that incorporates the corrected Qualcomm binary. For Pixel devices, this means the June 2026 factory image or OTA. For other Android vendors, the timeline depends on each manufacturer's integration and release cycle.
Key patching actions for organizations:
| Priority | Action | Rationale |
|---|---|---|
| Immediate | Check with device OEMs for available patches for all affected Qualcomm-based devices | Qualcomm has provided patches to OEMs but deployment timelines vary by manufacturer |
| Immediate | Prioritize patching of devices handling sensitive data (payment, authentication, healthcare) | StrongBox protects cryptographic keys; compromise of these devices has the highest impact |
| Short-term | Restrict installation of untrusted applications on affected devices in enterprise environments | Low-privilege local access is required; reducing app installation reduces attack surface |
| Ongoing | Monitor Qualcomm security bulletins and CISA KEV updates for emerging threat intelligence | Active exploitation status may change |
No workaround or configuration change that addresses the root cause without patching was identified. The vulnerability resides in SPU firmware, which cannot be disabled without breaking core Android security functionality including Keymaster, Gatekeeper, biometric authentication, and file-based encryption.
Affected Systems and Versions
The vulnerability affects over 50 Qualcomm chipsets and platforms. The following are the named affected platforms from the Qualcomm June 2026 Security Bulletin:
Flagship Mobile Platforms:
- Snapdragon 8 Elite
- Snapdragon 8 Elite Gen 5
- Snapdragon 8 Gen 2
- Snapdragon 8+ Gen 2
- Snapdragon 8 Gen 3
Connectivity Components:
- FastConnect 6700
- FastConnect 6800
- FastConnect 6900
- FastConnect 7800
Audio Codecs:
- WCD93xx series
- WSA88xx series
The affected platforms span flagship smartphones, AR/VR headsets, and IoT devices. The vulnerability is in the Secure Processor component (StrongBox subsystem), and the affected component is proprietary closed-source firmware.
Android Patch Level: Devices running security patch level 2026-06-05 or later include the fix. The Android Security Bulletin tracks this as bug A-500022443 under Qualcomm closed-source components.
Vendor Security History
Qualcomm has a mixed but transparent security track record. The company publishes monthly security bulletins and maintains a dedicated product security team. The June 2026 bulletin alone addresses 24 CVEs across Critical, High, and Moderate severity levels.
However, Qualcomm components have been the target of confirmed in-the-wild exploitation:
-
CVE-2026-21385 (March 2026): A buffer overflow in Qualcomm SM7675P firmware was confirmed exploited in targeted Android attacks. Google's Android Security Bulletin warned of indications it "may be under limited, targeted exploitation." That same month, Google's security update contained the highest number of Android vulnerabilities patched in a single month since April 2018.
-
CVE-2024-43047 (2024): A Qualcomm DSP vulnerability flagged as possibly exploited by Google and Amnesty International.
-
CVE-2025-48651 (April 2026): A separate StrongBox vulnerability patched at high severity, affecting StrongBox implementations from Google, NXP, STMicroelectronics, and Thales, demonstrating that StrongBox vulnerabilities are not unique to Qualcomm.
The internal discovery of CVE-2026-25277 and the two-month lead time given to OEMs before public disclosure reflects responsible vulnerability management. The EAL-4+ certification and NIST CMVP validation of the SPU demonstrate investment in formal security assurance, even as the presence of a CWE-120 buffer overflow in this certified component illustrates the gap between certification and implementation correctness.
References
- NVD: CVE-2026-25277
- CVE Record: CVE-2026-25277
- Qualcomm June 2026 Security Bulletin
- Android Security Bulletin: June 2026
- Qualcomm Snapdragon 855 Common Criteria EAL-4+ Certification Announcement
- Severe StrongBox Vulnerability Patched in Android (SecurityWeek)
- CVE-2026-21385: Google Patches Qualcomm Zero-Day Exploited in Targeted Attacks (SOCPrime)
- Google Addresses Actively Exploited Qualcomm Zero-Day (CyberScoop)
- Qualcomm Alerted to Possible Zero-Day Exploited in Targeted Attacks (SecurityWeek)
- CISA Known Exploited Vulnerabilities Catalog
- More CVEs, Same Playbook: 2026 Vulnerability Exploitation (Proofpoint)
- Qualcomm SPU FIPS 140-2 Security Policy (NIST CMVP)
- Qualcomm Security Advisory: March 2026 Monthly Rollup (Canadian Centre for Cyber Security)



