Qualcomm Technologies has published its July 2026 security bulletin, disclosing 12 vulnerabilities spanning proprietary firmware and open-source kernel components.
The standout issue, CVE-2026-25268, carries a Critical severity rating and touches an almost unprecedented range of hardware from flagship Snapdragon mobile platforms to industrial networking chips and automotive modems.
CVE-2026-25268 is a stack-based buffer overflow (CWE-121) in the WLAN Host component, triggered when the system processes invalid HT40 channel layouts during dynamic channel switching.
With a CVSS score of 8.8 and a “Remote” access vector, this vulnerability could allow an attacker within wireless range to corrupt memory and potentially execute arbitrary code without user interaction.
What makes this bulletin notable is scale: the affected chipset list runs into the hundreds, covering FastConnect connectivity modules, IPQ networking chips, Snapdragon mobile platforms, and even Wi-Fi components used in fixed wireless access and video collaboration hardware. Qualcomm discovered the issue internally and notified customers on April 6, 2026.
Three additional High-severity flaws round out the top tier:
- CVE-2026-21379 — a buffer over-read (CWE-126) in Windows Compute platforms, occurring when memory allocation requests exceed maximum permitted sizes; local access, CVSS 7.8.
- CVE-2026-21383 — a cryptographic weakness (CWE-323) in HLOS where a static initialization vector is reused for AES-GCM key wrapping, undermining the uniqueness guarantee that keeps encrypted data secure; CVSS 7.1.
- CVE-2026-25271 — a TOCTOU race condition (CWE-367) in DSP Service, where asynchronous input parameters can be altered between validation and use, leading to memory corruption. This was the only externally reported issue in the high-impact category, flagged by researcher heidada (heiheidada) on November 17, 2025.
The bulletin’s open-source table addresses seven Medium-severity issues, all reported by the same external researcher between July and August 2025:
- CVE-2025-59615, -59616, -59617 — three separate Use-After-Free bugs (CWE-416) in the Computer Vision/eva-kernel component, tied to improper synchronization during IOCTL buffer mapping and reuse.
- CVE-2026-21368, -21369, -21370, -21384 — four Out-of-Bounds Write flaws (CWE-787) in the camera-kernel driver, involving mishandled JPEG parsing, flash LED counts, batch size validation, and port indices.
All seven include public patch commits on Qualcomm’s CodeLinaro repositories, giving OEMs direct access to remediation code rather than waiting on binary blobs.
Because Qualcomm silicon underpins everything from budget Android phones to Windows-on-Snapdragon laptops, automotive modems, and industrial IoT gear, the practical risk depends entirely on how quickly OEMs push these fixes downstream.
Qualcomm’s bulletin explicitly notes that patch availability doesn’t equal patch deployment; users should check with device manufacturers directly for firmware update timelines, especially for the Critical WLAN flaw given its remote attack vector.
For security teams tracking exposure, the DSP Service and WLAN Host vulnerabilities merit priority attention given their severity ratings and broad chipset footprint, while the camera and computer vision fixes, though lower severity, affect widely deployed consumer devices and should be rolled into routine patch cycles.