CVE-2025-47405

CVE-2025-47405 is a memory corruption vulnerability, classified as CWE-822 (Untrusted Pointer Dereference), that occurs when processing camera sensor input/output control codes with invalid output buffers. It affects components within Qualcomm products, as documented in the vendor's May 2026 security bulletin. The vulnerability carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity with significant potential impacts.

A local attacker with low privileges can exploit this vulnerability through low-complexity means without requiring user interaction. Exploitation involves supplying malformed camera sensor IOCTL requests with invalid output buffers, leading to memory corruption. Successful attacks could grant high-level impacts on confidentiality, integrity, and availability, such as arbitrary code execution in the context of the affected process or complete system denial of service.

Qualcomm's May 2026 security bulletin at https://docs.qualcomm.com/product/publicresources/securitybulletin/may-2026-bulletin.html provides details on affected products, patch availability, and recommended mitigations for this CVE. Security practitioners should consult the bulletin for version-specific remediation steps.