SB2026010761 - Multiple vulnerabilities in Qualcomm chipsets (January 2026)
Published: January 7, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 22 secuirty vulnerabilities.
1) Use After Free (CVE-ID: CVE-2025-47339)
The vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation in HLOS. A local application can execute arbitrary code.
2) Double Free (CVE-ID: CVE-2025-47396)
The vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation in Graphics. A local application can execute arbitrary code.
3) Buffer over-read (CVE-ID: CVE-2025-47395)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation in WLAN Firmware. A remote attacker can perform a denial of service (DoS) attack.
4) Improper Validation of Array Index (CVE-ID: CVE-2025-47393)
The vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation in Automotive Linux OS. A local application can execute arbitrary code.
5) Untrusted Pointer Dereference (CVE-ID: CVE-2025-47380)
The vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation in Camera. A local application can execute arbitrary code.
6) Double Free (CVE-ID: CVE-2025-47356)
The vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation in Video. A local application can execute arbitrary code.
7) Use of Uninitialized Variable (CVE-ID: CVE-2025-47348)
The vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation in HLOS. A local application can execute arbitrary code.
8) Out-of-bounds write (CVE-ID: CVE-2025-47346)
The vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation in HLOS. A local application can execute arbitrary code.
9) Reusing a Nonce, Key Pair in Encryption (CVE-ID: CVE-2025-47345)
The vulnerability allows a local application to read and manipulate data.
The vulnerability exists due to improper input validation in Automotive Platform. A local application can read and manipulate data.
10) Untrusted Pointer Dereference (CVE-ID: CVE-2025-47343)
The vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation in Video. A local application can execute arbitrary code.
11) Exposure of sensitive information to an unauthorized actor (CVE-ID: CVE-2025-47369)
The vulnerability allows a local application to gain access to sensitive information.
The vulnerability exists due to improper input validation in Computer Vision. A local application can gain access to sensitive information.
12) Buffer overflow (CVE-ID: CVE-2025-47388)
The vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation in DSP Service. A local application can execute arbitrary code.
13) Time-of-check Time-of-use (TOCTOU) Race Condition (CVE-ID: CVE-2025-47344)
The vulnerability allows a local privileged application to execute arbitrary code.
The vulnerability exists due to improper input validation in Camera Driver. A local privileged application can execute arbitrary code.
14) Use After Free (CVE-ID: CVE-2025-47337)
The vulnerability allows a local privileged application to execute arbitrary code.
The vulnerability exists due to improper input validation in Camera Driver. A local privileged application can execute arbitrary code.
15) Use After Free (CVE-ID: CVE-2025-47336)
The vulnerability allows a local privileged application to execute arbitrary code.
The vulnerability exists due to improper input validation in Camera Driver. A local privileged application can execute arbitrary code.
16) Use After Free (CVE-ID: CVE-2025-47333)
The vulnerability allows a local application to read and manipulate data.
The vulnerability exists due to improper input validation in HLOS. A local application can read and manipulate data.
17) Buffer overflow (CVE-ID: CVE-2025-47394)
The vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation in DSP Service. A local application can execute arbitrary code.
18) Buffer overflow (CVE-ID: CVE-2025-47335)
The vulnerability allows a local privileged application to execute arbitrary code.
The vulnerability exists due to improper input validation in Camera Driver. A local privileged application can execute arbitrary code.
19) Buffer overflow (CVE-ID: CVE-2025-47334)
The vulnerability allows a local privileged application to execute arbitrary code.
The vulnerability exists due to improper input validation in Camera Driver. A local privileged application can execute arbitrary code.
20) Time-of-check Time-of-use (TOCTOU) Race Condition (CVE-ID: CVE-2025-47332)
The vulnerability allows a local privileged application to execute arbitrary code.
The vulnerability exists due to improper input validation in Camera Driver. A local privileged application can execute arbitrary code.
21) Buffer over-read (CVE-ID: CVE-2025-47331)
The vulnerability allows a local application to read and manipulate data.
The vulnerability exists due to improper input validation in Video. A local application can read and manipulate data.
22) Buffer over-read (CVE-ID: CVE-2025-47330)
The vulnerability allows a local application to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation in Video. A local application can perform a denial of service (DoS) attack.
Remediation
Install update from vendor's website.