# December 2025 Security Bulletin

## Published: 12/01/2025

This security bulletin is intended to help Qualcomm Technologies, Inc. (QTI) customers incorporate security updates in launched or upcoming devices.
                This document includes (i) a description of security issues that have been addressed in QTI’s proprietary code and (ii) links to publicly available code where security issues have been addressed.

Please reach out to
                [securitybulletin@qti.qualcomm.com](mailto:securitybulletin@qti.qualcomm.com)
                for any questions related to this bulletin.

## Table of Contents

| Announcements |
| --- |
| Acknowledgements |
| Proprietary Software Issues |
| Open Source Software Issues |
| Industry Coordination |

##  Announcements 

None

## Acknowledgements

We would like to thank these researchers for their contributions in reporting these issues to us.

| CVE-2025-47325 | Niek Timmers and Cristofaro Mune from Raelize |
| --- | --- |
| CVE-2025-27063 | conghuiwang |
| CVE-2025-47320 | Haonan Li < haonan.li@email.ucr.edu > |
| CVE-2025-47321 | Zinuo Han([https://twitter.com/ele7enxxh](https://twitter.com/ele7enxxh)) of OPPO Amber Security Lab |
| CVE-2025-47322 | ylva |

## Proprietary Software Issues

The tables below summarize security vulnerabilities that were addressed through proprietary software

This table lists high impact security vulnerabilities.
                Patches are being actively shared with OEMs, who have been notified and strongly recommended to deploy those patches on released devices as soon as possible. 
                Please contact the device manufacturer for information on the patching status of released devices.

| Public ID | Security Rating | CVSS Rating | Technology Area | Date Reported |
| --- | --- | --- | --- | --- |
| CVE-2025-47319 | Critical | Medium | HLOS | Internal |
| CVE-2025-47372 | Critical | Critical | Boot | Internal |
| CVE-2025-47323 | High | High | Audio | Internal |
| CVE-2025-47325 | High | Medium | TZ Firmware | 09/03/2025 |
| CVE-2025-47350 | High | High | DSP Service | Internal |
| CVE-2025-47387 | High | High | Camera | Internal |

This table lists moderate security vulnerabilities. OEMs have been notified and encouraged to patch these issues.

| Public ID | Security Rating | CVSS Rating | Technology Area | Date Reported |
| --- | --- | --- | --- | --- |
| CVE-2025-47321 | Medium | High | Core Services | 01/25/2025 |

### CVE-2025-47319

| CVE ID | CVE-2025-47319 |
| --- | --- |
| Title | Exposure of Sensitive System Information to an Unauthorized Control Sphere in HLOS |
| Description | Information disclosure while exposing internal TA-to-TA communication APIs to HLOS |
| Technology Area | HLOS |
| Vulnerability Type | CWE-497: Exposure of Sensitive System Information to an Unauthorized Control Sphere |
| Access Vector | Local |
| Security Rating | Critical |
| CVSS Rating | Medium |
| CVSS Score | 6.7 |
| CVSS String | CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:N |
| Date Reported | Internal |
| Customer Notified Date | 2025/06/02 |
| Affected Chipsets\* | AR8035, FastConnect 6200, FastConnect 6700, FastConnect 6900, FastConnect 7800, QAM8255P, QAM8295P, QAM8620P, QAM8650P, QAM8775P, QAMSRV1H, QAMSRV1M, QCA6174A, QCA6574, QCA6574A, QCA6574AU, QCA6584AU, QCA6595, QCA6595AU, QCA6678AQ, QCA6688AQ, QCA6696, QCA6698AQ, QCA6797AQ, QCA8081, QCA8337, QCC710, QCM5430, QCM6490, QCN6224, QCN6274, QCS5430, QCS6490, QDU1010, QDX1010, QDX1011, QEP8111, QFW7114, QFW7124, QMP1000, Qualcommr Video Collaboration VC3 Platform, SA6145P, SA6150P, SA6155P, SA7255P, SA7775P, SA8145P, SA8150P, SA8155P, SA8195P, SA8255P, SA8295P, SA8540P, SA8620P, SA8650P, SA8770P, SA8775P, SA9000P, SC8380XP, SM4635, SM6475, SM6650, SM6650P, SM7435, SM7635, SM7635P, SM7675, SM7675P, SM8635, SM8635P, SM8650Q, SM8735, SM8750, SM8750P, Snapdragon 4 Gen 2 Mobile Platform, Snapdragon 6 Gen 1 Mobile Platform, Snapdragon 8 Gen 3 Mobile Platform, Snapdragon AR1 Gen 1 Platform, Snapdragon AR1 Gen 1 Platform "Luna1", Snapdragon AR2 Gen 1 Platform, Snapdragon Auto 5G Modem-RF Gen 2, Snapdragon X32 5G Modem-RF System, Snapdragon X35 5G Modem-RF System, Snapdragon X72 5G Modem-RF System, Snapdragon X75 5G Modem-RF System, SRV1H, SRV1L, SRV1M, SSG2115P, SSG2125P, SXR1230P, SXR2230P, SXR2250P, WCD9340, WCD9370, WCD9375, WCD9378, WCD9380, WCD9385, WCD9390, WCD9395, WCN3950, WCN3988, WCN6650, WCN6755, WCN7750, WCN7860, WCN7861, WCN7880, WCN7881, WSA8810, WSA8815, WSA8830, WSA8832, WSA8835, WSA8840, WSA8845, WSA8845H |

### CVE-2025-47372

| CVE ID | CVE-2025-47372 |
| --- | --- |
| Title | Buffer Copy Without Checking Size of Input in Boot |
| Description | Memory Corruption when a corrupted ELF image with an oversized file size is read into a buffer without authentication. |
| Technology Area | Boot |
| Vulnerability Type | CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow') |
| Access Vector | Local |
| Security Rating | Critical |
| CVSS Rating | Critical |
| CVSS Score | 9.0 |
| CVSS String | CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N |
| Date Reported | Internal |
| Customer Notified Date | 2025/09/01 |
| Affected Chipsets\* | QAM8255P, QAM8620P, QAM8650P, QAM8775P, QAMSRV1H, QAMSRV1M, QCA6595, QCA6595AU, QCA6678AQ, QCA6696, QCA6698AQ, QCA6797AQ, SA7255P, SA7775P, SA8255P, SA8620P, SA8650P, SA8770P, SA8775P, SA9000P, SRV1H, SRV1L, SRV1M |

### CVE-2025-47323

| CVE ID | CVE-2025-47323 |
| --- | --- |
| Title | Integer Overflow or Wraparound in Audio |
| Description | Memory corruption while routing GPR packets between user and root when handling large data packet. |
| Technology Area | Audio |
| Vulnerability Type | CWE-190 Integer Overflow or Wraparound |
| Access Vector | Local |
| Security Rating | High |
| CVSS Rating | High |
| CVSS Score | 7.8 |
| CVSS String | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
| Date Reported | Internal |
| Customer Notified Date | 2025/06/02 |
| Affected Chipsets\* | AR8035, CSRA6620, CSRA6640, FastConnect 6200, FastConnect 6700, FastConnect 6900, FastConnect 7800, QAM8255P, QAM8295P, QAM8620P, QAM8650P, QAM8775P, QAMSRV1H, QAMSRV1M, QCA6174A, QCA6391, QCA6564, QCA6564AU, QCA6574, QCA6574A, QCA6574AU, QCA6584AU, QCA6595, QCA6595AU, QCA6678AQ, QCA6688AQ, QCA6696, QCA6698AQ, QCA6797AQ, QCA8081, QCA8337, QCC710, QCM2290, QCM4490, QCM5430, QCM6490, QCM8550, QCN6024, QCN6224, QCN6274, QCN9011, QCN9012, QCN9024, QCS2290, QCS4490, QCS5430, QCS6490, QCS8550, QEP8111, QFW7114, QFW7124, QMP1000, Qualcommr Video Collaboration VC3 Platform, Robotics RB2 Platform, SA4150P, SA4155P, SA6145P, SA6150P, SA6155, SA6155P, SA7255P, SA7775P, SA8145P, SA8150P, SA8155, SA8155P, SA8195P, SA8255P, SA8295P, SA8540P, SA8620P, SA8650P, SA8770P, SA8775P, SA9000P, SC8380XP, SD 8 Gen1 5G, SDX61, SDX71M, SG4150P, SG8275, SG8275P, SM4635, SM6475, SM6650, SM6650P, SM7325P, SM7435, SM7550, SM7550P, SM7635, SM7635P, SM7675, SM7675P, SM8475P, SM8550P, SM8635, SM8635P, SM8650Q, SM8735, SM8750, SM8750P, Snapdragon 4 Gen 1 Mobile Platform, Snapdragon 4 Gen 2 Mobile Platform, Snapdragon 460 Mobile Platform, Snapdragon 480 5G Mobile Platform, Snapdragon 480+ 5G Mobile Platform (SM4350-AC), Snapdragon 6 Gen 1 Mobile Platform, Snapdragon 662 Mobile Platform, Snapdragon 680 4G Mobile Platform, Snapdragon 685 4G Mobile Platform (SM6225-AD), Snapdragon 695 5G Mobile Platform, Snapdragon 7 Gen 1 Mobile Platform, Snapdragon 7+ Gen 2 Mobile Platform, Snapdragon 778G 5G Mobile Platform, Snapdragon 778G+ 5G Mobile Platform (SM7325-AE), Snapdragon 782G Mobile Platform (SM7325-AF), Snapdragon 7c+ Gen 3 Compute, Snapdragon 8 Gen 1 Mobile Platform, Snapdragon 8 Gen 2 Mobile Platform, Snapdragon 8 Gen 3 Mobile Platform, Snapdragon 8+ Gen 1 Mobile Platform, Snapdragon 8+ Gen 2 Mobile Platform, Snapdragon 888 5G Mobile Platform, Snapdragon 888+ 5G Mobile Platform (SM8350-AC), Snapdragon 8cx Gen 3 Compute Platform (SC8280XP-AB, BB), Snapdragon AR1 Gen 1 Platform, Snapdragon AR1 Gen 1 Platform "Luna1", Snapdragon AR2 Gen 1 Platform, Snapdragon Auto 5G Modem-RF Gen 2, Snapdragon W5+ Gen 1 Wearable Platform, Snapdragon X32 5G Modem-RF System, Snapdragon X35 5G Modem-RF System, Snapdragon X65 5G Modem-RF System, Snapdragon X70 Modem-RF System, Snapdragon X72 5G Modem-RF System, Snapdragon X75 5G Modem-RF System, SRV1H, SRV1L, SRV1M, SSG2115P, SSG2125P, SW5100, SW5100P, SXR1230P, SXR2230P, SXR2250P, WCD9335, WCD9340, WCD9370, WCD9371, WCD9375, WCD9378, WCD9380, WCD9385, WCD9390, WCD9395, WCN3910, WCN3950, WCN3980, WCN3988, WCN6650, WCN6740, WCN6755, WCN7750, WCN7860, WCN7861, WCN7880, WCN7881, WSA8810, WSA8815, WSA8830, WSA8832, WSA8835, WSA8840, WSA8845, WSA8845H |

### CVE-2025-47325

| CVE ID | CVE-2025-47325 |
| --- | --- |
| Title | Untrusted Pointer Dereference in TZ Firmware |
| Description | Information disclosure while processing system calls with invalid parameters. |
| Technology Area | TZ Firmware |
| Vulnerability Type | CWE-822 Untrusted Pointer Dereference |
| Access Vector | Local |
| Security Rating | High |
| CVSS Rating | Medium |
| CVSS Score | 6.5 |
| CVSS String | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N |
| Date Reported | 2025/09/03 |
| Customer Notified Date | 2025/06/02 |
| Affected Chipsets\* | CSR8811, IPQ8070, IPQ8070A, IPQ8071, IPQ8071A, IPQ8072, IPQ8072A, IPQ8074, IPQ8074A, IPQ8076, IPQ8076A, IPQ8078, IPQ8078A, IPQ8173, IPQ8174, PMP8074, QCA4024, QCA6428, QCA6438, QCA8072, QCA8075, QCA8081, QCA9888, QCA9889, QCN5022, QCN5024, QCN5052, QCN5054, QCN5064, QCN5122, QCN5124, QCN5152, QCN5154, QCN5164, QCN5550, QCN6023, QCN6024, QCN9000, QCN9022, QCN9024, QCN9070, QCN9072, QCN9074, SDX55 |

### CVE-2025-47350

| CVE ID | CVE-2025-47350 |
| --- | --- |
| Title | Use After Free in DSP Service |
| Description | Memory corruption while handling concurrent memory mapping and unmapping requests from a user-space application. |
| Technology Area | DSP Service |
| Vulnerability Type | CWE-416 Use After Free |
| Access Vector | Local |
| Security Rating | High |
| CVSS Rating | High |
| CVSS Score | 7.8 |
| CVSS String | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
| Date Reported | Internal |
| Customer Notified Date | 2025/09/01 |
| Affected Chipsets\* | FastConnect 6900, FastConnect 7800, QCA0000, SC8380XP, WCD9378C, WCD9380, WCD9385, WSA8840, WSA8845, WSA8845H, X2000077, X2000086, X2000090, X2000092, X2000094, XG101002, XG101032, XG101039 |

### CVE-2025-47387

| CVE ID | CVE-2025-47387 |
| --- | --- |
| Title | Untrusted Pointer Dereference in Camera |
| Description | Memory Corruption when processing IOCTLs for JPEG data without verification. |
| Technology Area | Camera |
| Vulnerability Type | CWE-822 Untrusted Pointer Dereference |
| Access Vector | Local |
| Security Rating | High |
| CVSS Rating | High |
| CVSS Score | 7.8 |
| CVSS String | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
| Date Reported | Internal |
| Customer Notified Date | 2025/09/01 |
| Affected Chipsets\* | AQT1000, FastConnect 6200, FastConnect 6700, FastConnect 6800, FastConnect 6900, FastConnect 7800, QCA6391, QCA6420, QCA6430, QCM5430, QCM6490, QCS5430, QCS6490, Qualcomm® Video Collaboration VC3 Platform, SC8180X+SDX55, SC8380XP, SM6250, Snapdragon 7c Compute Platform (SC7180-AC), Snapdragon 7c Gen 2 Compute Platform (SC7180-AD) "Rennell Pro", Snapdragon 7c+ Gen 3 Compute, Snapdragon 8c Compute Platform (SC8180X-AD) "Poipu Lite", Snapdragon 8c Compute Platform (SC8180XP-AD) "Poipu Lite", Snapdragon 8cx Compute Platform (SC8180X-AA, AB), Snapdragon 8cx Compute Platform (SC8180XP-AC, AF) "Poipu Pro", Snapdragon 8cx Gen 2 5G Compute Platform (SC8180X-AC, AF) "Poipu Pro", Snapdragon 8cx Gen 2 5G Compute Platform (SC8180XP-AA, AB), Snapdragon 8cx Gen 3 Compute Platform (SC8280XP-AB, BB), WCD9340, WCD9341, WCD9370, WCD9375, WCD9380, WCD9385, WSA8810, WSA8815, WSA8830, WSA8835, WSA8840, WSA8845, WSA8845H |

### CVE-2025-47321

| CVE ID | CVE-2025-47321 |
| --- | --- |
| Title | Buffer Copy Without Checking Size of Input in Core Services |
| Description | Memory corruption while copying packets received from unix clients. |
| Technology Area | Core Services |
| Vulnerability Type | CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow') |
| Access Vector | Local |
| Security Rating | Medium |
| CVSS Rating | High |
| CVSS Score | 7.8 |
| CVSS String | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
| Date Reported | 2025/01/25 |
| Customer Notified Date | 2025/06/02 |
| Affected Chipsets\* | AR8031, AR8035, CSRA6620, CSRA6640, FastConnect 6200, FastConnect 6700, FastConnect 6900, FastConnect 7800, QAM8255P, QAM8650P, QAM8775P, QAMSRV1H, QAMSRV1M, QCA2066, QCA6174A, QCA6391, QCA6574, QCA6574A, QCA6574AU, QCA6595AU, QCA6696, QCA8081, QCA8337, QCM5430, QCM6125, QCM6490, QCM8550, QCN6024, QCN9011, QCN9012, QCN9024, QCS5430, QCS6125, QCS6490, QCS8550, QEP8111, QMP1000, Qualcommr Video Collaboration VC1 Platform, Qualcommr Video Collaboration VC3 Platform, Robotics RB2 Platform, SA4150P, SA4155P, SA6155P, SA7255P, SA7775P, SA8155P, SA8195P, SA8255P, SA8620P, SA8650P, SA8770P, SA8775P, SA9000P, SDX61, SM6475, SM6650, SM6650P, SM7250P, SM7435, SM7635, SM7635P, SM8735, SM8750, SM8750P, Smart Audio 400 Platform, Snapdragon 4 Gen 2 Mobile Platform, Snapdragon 6 Gen 1 Mobile Platform, Snapdragon 680 4G Mobile Platform, Snapdragon 685 4G Mobile Platform (SM6225-AD), Snapdragon 765 5G Mobile Platform (SM7250-AA), Snapdragon 765G 5G Mobile Platform (SM7250-AB), Snapdragon 768G 5G Mobile Platform (SM7250-AC), Snapdragon AR1 Gen 1 Platform, Snapdragon AR1 Gen 1 Platform "Luna1", Snapdragon AR2 Gen 1 Platform, Snapdragon W5+ Gen 1 Wearable Platform, Snapdragon X32 5G Modem-RF System, Snapdragon X35 5G Modem-RF System, Snapdragon X65 5G Modem-RF System, SRV1H, SRV1M, SSG2115P, SSG2125P, SW5100, SW5100P, SXR1230P, SXR2230P, SXR2250P, WCD9335, WCD9340, WCD9370, WCD9375, WCD9378, WCD9380, WCD9385, WCD9395, WCN3950, WCN3980, WCN3988, WCN6650, WCN6740, WCN6755, WCN7750, WCN7860, WCN7861, WCN7880, WCN7881, WSA8810, WSA8815, WSA8830, WSA8832, WSA8835, WSA8840, WSA8845, WSA8845H |

\*The list of affected chipsets may not be complete.
                For latest information, device OEMs can contact QTI directly at [www.qualcomm.com/support](https://www.qualcomm.com/support).

## Open Source Software Issues

The tables below summarize security vulnerabilities that were addressed through open source software

This table lists high impact security vulnerabilities.
                Patches are being actively shared with OEMs, who have been notified and strongly recommended to deploy those patches on released devices as soon as possible.
                Please contact the device manufacturer for information on the patching status of released devices.

| Public ID | Security Rating | CVSS Rating | Technology Area | Date Reported |
| --- | --- | --- | --- | --- |
| CVE-2025-47382 | High | High | Boot | Internal |

This table lists moderate security vulnerabilities. OEMs have been notified and encouraged to patch these issues.

| Public ID | Security Rating | CVSS Rating | Technology Area | Date Reported |
| --- | --- | --- | --- | --- |
| CVE-2025-27063 | Medium | High | Video | 10/21/2024 |
| CVE-2025-47320 | Medium | High | Audio | 02/04/2025 |
| CVE-2025-47322 | Medium | High | Automotive Android OS | 02/07/2025 |

### CVE-2025-47382

| CVE ID | CVE-2025-47382 |
| --- | --- |
| Title | Incorrect Authorization in Boot |
| Description | Memory corruption while loading an invalid firmware in boot loader. |
| Technology Area | Boot |
| Vulnerability Type | CWE-863: Incorrect Authorization |
| Access Vector | Local |
| Security Rating | High |
| CVSS Rating | High |
| CVSS Score | 7.8 |
| CVSS String | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
| Date Reported | Internal |
| Customer Notified Date | 2025/09/01 |
| Affected Chipsets\* | FastConnect 6200, FastConnect 6700, FastConnect 6900, FastConnect 7800, QAM8255P, QAM8295P, QAM8620P, QAM8650P, QAM8775P, QAMSRV1H, QAMSRV1M, QCA6574, QCA6574A, QCA6574AU, QCA6595, QCA6595AU, QCA6688AQ, QCA6696, QCA6698AQ, QCA6797AQ, QCA8695AU, QCA9367, QCA9377, QCM6690, QCS610, QCS6690, QMP1000, Qualcomm® Video Collaboration VC1 Platform, Qualcomm® Video Collaboration VC3 Platform, SA6155P, SA7255P, SA7775P, SA8155P, SA8195P, SA8255P, SA8295P, SA8620P, SA8650P, SA8770P, SA8775P, SA9000P, SG6150, SG6150P, SM4635, SM6650, SM6650P, SM7635, SM7635P, SM7675, SM7675P, SM8635, SM8635P, SM8650Q, SM8735, SM8750, SM8750P, SM8850, SM8850P, Snapdragon 4 Gen 1 Mobile Platform, Snapdragon 480 5G Mobile Platform, Snapdragon 480+ 5G Mobile Platform (SM4350-AC), Snapdragon 695 5G Mobile Platform, Snapdragon 8 Gen 3 Mobile Platform, Snapdragon AR1 Gen 1 Platform, Snapdragon AR1 Gen 1 Platform "Luna1", Snapdragon W5+ Gen 1 Wearable Platform, SRV1H, SRV1L, SRV1M, SW5100, SW5100P, SXR2330P, SXR2350P, WCD9370, WCD9375, WCD9378, WCD9380, WCD9385, WCD9390, WCD9395, WCN3950, WCN3980, WCN3988, WCN6450, WCN6650, WCN6755, WCN7750, WCN7860, WCN7861, WCN7880, WCN7881, WSA8810, WSA8815, WSA8830, WSA8832, WSA8835, WSA8840, WSA8845, WSA8845H |
| Patch\*\* | <ul><li><br>                                             <a class="word-wrap" href="https://git.codelinaro.org/clo/la/abl/tianocore/edk2/-/commit/c7af5ee0957aab91e2a8d45a1e48f6d532e04de1" target="_blank">https://git.codelinaro.org/clo/la/abl/tianocore/edk2/-/commit/c7af5ee0957aab91e2a8d45a1e48f6d532e04de1</a><br>                                       </li></ul> |

### CVE-2025-27063

| CVE ID | CVE-2025-27063 |
| --- | --- |
| Title | Use After Free in Video |
| Description | Memory corruption during video playback when video session open fails with time out error. |
| Technology Area | Video |
| Vulnerability Type | CWE-416 Use After Free |
| Access Vector | Local |
| Security Rating | Medium |
| CVSS Rating | High |
| CVSS Score | 7.8 |
| CVSS String | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
| Date Reported | 2024/10/21 |
| Customer Notified Date | 2025/06/02 |
| Affected Chipsets\* | CSRA6620, CSRA6640, FastConnect 6200, FastConnect 6700, FastConnect 6800, FastConnect 6900, FastConnect 7800, Flight RB5 5G Platform, QAM8295P, QCA6391, QCA6574, QCA6574A, QCA6574AU, QCA6595, QCA6595AU, QCA6688AQ, QCA6696, QCA6698AQ, QCM2290, QCM5430, QCM6125, QCM6490, QCN9011, QCN9012, QCS2290, QCS410, QCS5430, QCS610, QCS6125, QCS6490, QCS7230, QCS8250, QRB5165M, QRB5165N, Qualcomm 215 Mobile Platform, Qualcommr Video Collaboration VC1 Platform, Qualcommr Video Collaboration VC3 Platform, Qualcommr Video Collaboration VC5 Platform, Robotics RB2 Platform, Robotics RB5 Platform, SA4150P, SA4155P, SA6145P, SA6150P, SA6155P, SA8145P, SA8150P, SA8155P, SA8195P, SA8295P, SD660, SD865 5G, SM7250P, SM7325P, Snapdragon 4 Gen 1 Mobile Platform, Snapdragon 4 Gen 2 Mobile Platform, Snapdragon 460 Mobile Platform, Snapdragon 480 5G Mobile Platform, Snapdragon 480+ 5G Mobile Platform (SM4350-AC), Snapdragon 660 Mobile Platform, Snapdragon 662 Mobile Platform, Snapdragon 680 4G Mobile Platform, Snapdragon 685 4G Mobile Platform (SM6225-AD), Snapdragon 690 5G Mobile Platform, Snapdragon 695 5G Mobile Platform, Snapdragon 765 5G Mobile Platform (SM7250-AA), Snapdragon 765G 5G Mobile Platform (SM7250-AB), Snapdragon 768G 5G Mobile Platform (SM7250-AC), Snapdragon 778G 5G Mobile Platform, Snapdragon 778G+ 5G Mobile Platform (SM7325-AE), Snapdragon 782G Mobile Platform (SM7325-AF), Snapdragon 7c+ Gen 3 Compute, Snapdragon 865 5G Mobile Platform, Snapdragon 865+ 5G Mobile Platform (SM8250-AB), Snapdragon 870 5G Mobile Platform (SM8250-AC), Snapdragon 888 5G Mobile Platform, Snapdragon 888+ 5G Mobile Platform (SM8350-AC), Snapdragon AR1 Gen 1 Platform, Snapdragon AR1 Gen 1 Platform "Luna1", Snapdragon AR2 Gen 1 Platform, Snapdragon W5+ Gen 1 Wearable Platform, Snapdragon X55 5G Modem-RF System, Snapdragon XR2 5G Platform, Snapdragon XR2+ Gen 1 Platform, SSG2115P, SSG2125P, SW5100, SW5100P, SXR1230P, SXR2230P, WCD9326, WCD9335, WCD9341, WCD9370, WCD9375, WCD9380, WCD9385, WCN3615, WCN3660B, WCN3680B, WCN3910, WCN3950, WCN3980, WCN3988, WCN3990, WCN6740, WSA8810, WSA8815, WSA8830, WSA8832, WSA8835 |
| Patch\*\* | <ul><li><br>                                             <a class="word-wrap" href="https://git.codelinaro.org/clo/la/platform/vendor/opensource/video-driver/-/commit/cc9f3cc50311796626b2c40b049daeef0a5719ea" target="_blank">https://git.codelinaro.org/clo/la/platform/vendor/opensource/video-driver/-/commit/cc9f3cc50311796626b2c40b049daeef0a5719ea</a><br>                                       </li></ul> |

### CVE-2025-47320

| CVE ID | CVE-2025-47320 |
| --- | --- |
| Title | Out-of-bounds Write in Audio |
| Description | Memory corruption while processing MFC channel configuration during music playback. |
| Technology Area | Audio |
| Vulnerability Type | CWE-787: Out-of-bounds Write |
| Access Vector | Local |
| Security Rating | Medium |
| CVSS Rating | High |
| CVSS Score | 7.8 |
| CVSS String | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
| Date Reported | 2025/02/04 |
| Customer Notified Date | 2025/06/02 |
| Affected Chipsets\* | 9206 LTE Modem, APQ8017, AQT1000, AR8031, AR8035, CSRA6620, CSRA6640, CSRB31024, C-V2X 9150, FastConnect 6200, FastConnect 6700, FastConnect 6800, FastConnect 6900, FastConnect 7800, Flight RB5 5G Platform, MDM9250, MDM9628, MDM9640, MSM8996AU, QAM8255P, QAM8295P, QAM8650P, QAM8775P, QAMSRV1H, QAMSRV1M, QCA2066, QCA6174A, QCA6391, QCA6564, QCA6564A, QCA6564AU, QCA6574, QCA6574A, QCA6574AU, QCA6584, QCA6584AU, QCA6595, QCA6595AU, QCA6678AQ, QCA6688AQ, QCA6696, QCA6698AQ, QCA6797AQ, QCA8081, QCA8337, QCA9367, QCA9377, QCC710, QCM2290, QCM5430, QCM6125, QCM6490, QCM8550, QCN6224, QCN6274, QCN9011, QCN9012, QCS2290, QCS410, QCS5430, QCS610, QCS6125, QCS6490, QCS7230, QCS8250, QCS8550, QEP8111, QFW7114, QFW7124, QRB5165M, QRB5165N, Qualcomm 215 Mobile Platform, Qualcommr Video Collaboration VC1 Platform, Qualcommr Video Collaboration VC3 Platform, Qualcommr Video Collaboration VC5 Platform, Robotics RB2 Platform, Robotics RB5 Platform, SA2150P, SA4150P, SA4155P, SA6145P, SA6150P, SA6155, SA6155P, SA7255P, SA7775P, SA8145P, SA8150P, SA8155, SA8155P, SA8195P, SA8255P, SA8295P, SA8620P, SA8650P, SA8770P, SA8775P, SA9000P, SD626, SD660, SD855, SD865 5G, SDM429W, SDX55, SG4150P, SG8275, SG8275P, SM4635, SM6650, SM6650P, SM7250P, SM7325P, SM7550, SM7550P, SM7635, SM7635P, SM7675, SM7675P, SM8550P, SM8635, SM8635P, SM8650Q, Smart Audio 400 Platform, Smart Display 200 Platform (APQ5053-AA), Snapdragon 1200 Wearable Platform, Snapdragon 4 Gen 1 Mobile Platform, Snapdragon 429 Mobile Platform, Snapdragon 460 Mobile Platform, Snapdragon 480 5G Mobile Platform, Snapdragon 480+ 5G Mobile Platform (SM4350-AC), Snapdragon 625 Mobile Platform, Snapdragon 626 Mobile Platform, Snapdragon 660 Mobile Platform, Snapdragon 662 Mobile Platform, Snapdragon 680 4G Mobile Platform, Snapdragon 685 4G Mobile Platform (SM6225-AD), Snapdragon 690 5G Mobile Platform, Snapdragon 695 5G Mobile Platform, Snapdragon 720G Mobile Platform, Snapdragon 765 5G Mobile Platform (SM7250-AA), Snapdragon 765G 5G Mobile Platform (SM7250-AB), Snapdragon 768G 5G Mobile Platform (SM7250-AC), Snapdragon 778G 5G Mobile Platform, Snapdragon 778G+ 5G Mobile Platform (SM7325-AE), Snapdragon 782G Mobile Platform (SM7325-AF), Snapdragon 7c+ Gen 3 Compute, Snapdragon 8 Gen 2 Mobile Platform, Snapdragon 8 Gen 3 Mobile Platform, Snapdragon 8+ Gen 2 Mobile Platform, Snapdragon 820 Automotive Platform, Snapdragon 855 Mobile Platform, Snapdragon 855+/860 Mobile Platform (SM8150-AC), Snapdragon 865 5G Mobile Platform, Snapdragon 865+ 5G Mobile Platform (SM8250-AB), Snapdragon 870 5G Mobile Platform (SM8250-AC), Snapdragon 888 5G Mobile Platform, Snapdragon 888+ 5G Mobile Platform (SM8350-AC), Snapdragon Auto 5G Modem-RF, Snapdragon Auto 5G Modem-RF Gen 2, Snapdragon W5+ Gen 1 Wearable Platform, Snapdragon X12 LTE Modem, Snapdragon X32 5G Modem-RF System, Snapdragon X35 5G Modem-RF System, Snapdragon X5 LTE Modem, Snapdragon X55 5G Modem-RF System, Snapdragon X72 5G Modem-RF System, Snapdragon X75 5G Modem-RF System, Snapdragon XR1 Platform, Snapdragon XR2 5G Platform, Snapdragon XR2+ Gen 1 Platform, Snapdragon Auto 4G Modem, SRV1H, SRV1M, SW5100, SW5100P, SXR1120, Vision Intelligence 100 Platform (APQ8053-AA), Vision Intelligence 200 Platform (APQ8053-AC), Vision Intelligence 300 Platform, Vision Intelligence 400 Platform, WCD9326, WCD9330, WCD9335, WCD9340, WCD9341, WCD9360, WCD9370, WCD9371, WCD9375, WCD9378, WCD9380, WCD9385, WCD9390, WCD9395, WCN3615, WCN3620, WCN3660B, WCN3680B, WCN3910, WCN3950, WCN3980, WCN3988, WCN3990, WCN6650, WCN6755, WSA8810, WSA8815, WSA8830, WSA8832, WSA8835, WSA8840, WSA8845, WSA8845H |
| Patch\*\* | <ul><li><br>                                             <a class="word-wrap" href="https://git.codelinaro.org/clo/la/platform/vendor/opensource/audio-kernel/-/commit/4240e3ee8ade5fed0b7dcd1ca58b85d07b4b2706" target="_blank">https://git.codelinaro.org/clo/la/platform/vendor/opensource/audio-kernel/-/commit/4240e3ee8ade5fed0b7dcd1ca58b85d07b4b2706</a><br>                                       </li></ul> |

### CVE-2025-47322

| CVE ID | CVE-2025-47322 |
| --- | --- |
| Title | Use After Free in Automotive Linux OS |
| Description | Memory corruption while handling IOCTL calls to set mode. |
| Technology Area | Automotive Android OS |
| Vulnerability Type | CWE-416 Use After Free |
| Access Vector | Local |
| Security Rating | Medium |
| CVSS Rating | High |
| CVSS Score | 7.8 |
| CVSS String | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
| Date Reported | 2025/02/07 |
| Customer Notified Date | 2025/06/02 |
| Affected Chipsets\* | AR8031, AR8035, CSRA6620, CSRA6640, FastConnect 6900, FastConnect 7800, Flight RB5 5G Platform, QAM8255P, QAM8295P, QAM8650P, QAM8775P, QAMSRV1H, QAMSRV1M, QCA2066, QCA6174A, QCA6391, QCA6574, QCA6574A, QCA6574AU, QCA6584AU, QCA6595, QCA6595AU, QCA6678AQ, QCA6688AQ, QCA6696, QCA6698AQ, QCA6797AQ, QCA8081, QCA8337, QCC710, QCM2290, QCM6125, QCM8550, QCN6224, QCN6274, QCN9011, QCN9012, QCS2290, QCS6125, QCS7230, QCS8250, QCS8550, QDU1010, QDX1010, QDX1011, QEP8111, QFW7114, QFW7124, QRB5165N, Qualcommr Video Collaboration VC1 Platform, Qualcommr Video Collaboration VC5 Platform, Robotics RB5 Platform, SA6155P, SA7255P, SA7775P, SA8155P, SA8195P, SA8255P, SA8295P, SA8620P, SA8650P, SA8770P, SA8775P, SA9000P, SG4150P, SG8275, SG8275P, SM7550, SM7550P, SM8550P, Smart Audio 400 Platform, Snapdragon 460 Mobile Platform, Snapdragon 662 Mobile Platform, Snapdragon 680 4G Mobile Platform, Snapdragon 685 4G Mobile Platform (SM6225-AD), Snapdragon 8 Gen 2 Mobile Platform, Snapdragon 8+ Gen 2 Mobile Platform, Snapdragon Auto 5G Modem-RF Gen 2, Snapdragon W5+ Gen 1 Wearable Platform, Snapdragon X32 5G Modem-RF System, Snapdragon X35 5G Modem-RF System, Snapdragon X72 5G Modem-RF System, Snapdragon X75 5G Modem-RF System, SRV1H, SRV1M, SW5100, SW5100P, WCD9335, WCD9340, WCD9370, WCD9371, WCD9375, WCD9378, WCD9380, WCD9385, WCD9390, WCD9395, WCN3910, WCN3950, WCN3980, WCN3988, WCN6650, WCN6755, WSA8810, WSA8815, WSA8830, WSA8832, WSA8835, WSA8840, WSA8845, WSA8845H |
| Patch\*\* | <ul><li><br>                                             <a class="word-wrap" href="https://git.codelinaro.org/clo/la/kernel/msm-5.15/-/commit/3d1a40658073227f3277c958aa9dac942f90a6e8<br>" target="_blank">https://git.codelinaro.org/clo/la/kernel/msm-5.15/-/commit/3d1a40658073227f3277c958aa9dac942f90a6e8<br></a><br>                                       </li><li><br>                                             <a class="word-wrap" href="https://git.codelinaro.org/clo/la/platform/vendor/qcom/opensource/platform-kernel/-/commit/ce37f789be71f8ab8a28bb6c20f6b91242c51625" target="_blank">https://git.codelinaro.org/clo/la/platform/vendor/qcom/opensource/platform-kernel/-/commit/ce37f789be71f8ab8a28bb6c20f6b91242c51625</a><br>                                       </li></ul> |

\* The list of affected chipsets may not be complete.
                For latest information, device OEMs can contact QTI directly at [www.qualcomm.com/support](https://www.qualcomm.com/support).

\*\* Data is generated only at the time of bulletin creation

## Industry Coordination

Security ratings of issues included in Android security
                bulletins and these bulletins match in the most common scenarios but may
                differ in some cases due to one of the following reasons:

- Consideration of security protections such as SELinux not enforced on some platforms
- Differences in assessment of some specific
                    scenarios that involves local denial of service or privilege escalation
                    vulnerabilities in the high level OS kernel

All Qualcomm products mentioned herein are products of Qualcomm Technologies, Inc. and/or its subsidiaries.

Qualcomm is a trademark of Qualcomm Incorporated, registered in the United States and other countries. Other product and brand names may be trademarks or registered trademarks of their respective owners.

This technical data may be subject to U.S. and international export, re-export, or transfer (“export”) laws. Diversion contrary to U.S. and international law is strictly prohibited.

Qualcomm Technologies, Inc.

San Diego, CA 92121

U.S.A.

© 2022 Qualcomm Technologies, Inc. and/or its subsidiaries. All rights reserved.