CVE-2025-21424

High

Published: 03 March 2025

Published

03 March 2025

Modified

11 August 2025

KEV Added

—

Patch

—

CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0021 43.0th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

Memory corruption while calling the NPU driver APIs concurrently.

Security Summary

CVE-2025-21424 is a memory corruption vulnerability classified under CWE-416 (use-after-free), triggered by concurrent calls to NPU driver APIs. It affects Qualcomm's NPU driver components, with a CVSS v3.1 base score of 7.8 (High). The issue was publicly disclosed on March 3, 2025, via Qualcomm's security bulletin.

A local attacker with low privileges (PR:L) can exploit this vulnerability through low-complexity attacks (AC:L) requiring no user interaction (UI:N). Exploitation enables high-impact consequences, including unauthorized access to sensitive data (C:H), modification of system integrity (I:H), and disruption of availability (A:H), potentially leading to full device compromise within the unchanged security scope (S:U).

Mitigation details, including affected products and patching guidance, are outlined in Qualcomm's March 2025 security bulletin available at https://docs.qualcomm.com/product/publicresources/securitybulletin/march-2025-bulletin.html.

Details

CWE(s): CWE-416

Affected Products

qualcomm

315 5g iot modem firmware

all versions

qualcomm

aqt1000 firmware

all versions

qualcomm

ar8031 firmware

all versions

qualcomm

ar8035 firmware

all versions

qualcomm

c-v2x 9150 firmware

all versions

qualcomm

sg4150p firmware

all versions

qualcomm

sg8275p firmware

all versions

qualcomm

sm4125 firmware

all versions

qualcomm

sm4635 firmware

all versions

qualcomm

sm6250 firmware

all versions

+229 more product configuration(s) — see NVD for full list

References

https://docs.qualcomm.com/product/publicresources/securitybulletin/march-2025-bulletin.html
Patch, Vendor Advisory · product-security@qualcomm.com