These flaws, tracked as CVE-2025-21483 and CVE-2025-27034, each carry a CVSS score of 9.8 and exploit buffer-corruption weaknesses to compromise device security.
Key Takeaways
1. CVE-2025-21483 & CVE-2025-27034 allow remote RCE.
2. Affects Snapdragon 8 Gen1/Gen2, FastConnect, X55, IoT/automotive chips.
3. Patch now and filter RTP/PLMN traffic.
The most severe issue, CVE-2025-21483, resides in Qualcomm’s Real-time Transport Protocol (RTP) packet reassembly within the Data Network Stack & Connectivity module.
An attacker can send a malicious RTP packet that triggers a heap-based buffer overflow (CWE-119) by overrunning the NALU reassembly buffer.
With a remote access vector and no user interaction required, this vulnerability enables full control over affected chipsets, including Snapdragon 8 Gen1, Snapdragon 8 Gen2, FastConnect 7800, and dozens more.
Once exploited, arbitrary code execution at the kernel level can occur, compromising data confidentiality, integrity, and availability.
Equally critical is CVE-2025-27034, which stems from an improper validation of an array index (CWE-129) in the Multi-Mode Call Processor.
Attackers can craft a malformed Public Land Mobile Network (PLMN) selection response that corrupts memory during index parsing.
The flaw’s remote access vector and lack of privilege requirements make it exploitable over the network.
Affected platforms include the Snapdragon X55 5G Modem-RF System, Snapdragon 8 Gen1, QCM5430, and numerous IoT and automotive modems. Successful exploitation leads to arbitrary code execution with escalated privileges.
| CVE | Title | CVSS 3.1 Score | Severity |
| CVE-2025-21483 | Improper Restriction of Operations within the Bounds of a Memory Buffer in Data Network Stack & Connectivity | 9.8 | Critical |
| CVE-2025-27034 | Improper Validation of Array Index in Multi-Mode Call Processor | 9.8 | Critical |
Qualcomm has issued patches for both vulnerabilities, distributing updates directly to OEMs and urging immediate deployment.
The recommended countermeasure is to integrate the proprietary software updates provided in the September 2025 Security Bulletin and verify the presence of hardened bounds-checking routines.
Device manufacturers must ensure timely firmware upgrades to eliminate attack vectors in CVE-2025-21483’s RTP parser and CVE-2025-27034’s array index logic.
Security researchers emphasize the necessity of monitoring CVSS strings and employing network filtering as an interim safeguard.
Administrators should block unexpected RTP streams and PLMN selection traffic until patched firmware is installed. Additionally, implementing strict SELinux policies on Android platforms can further constrain exploit attempts.
Stakeholders are advised to audit firmware versions, apply patches immediately, and maintain vigilant network monitoring to defend against these high-severity exploits.
Qualcomm customers and device end-users should contact their manufacturers or visit Qualcomm’s support portal for detailed patch instructions and chipset coverage details.
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
The post Critical Qualcomm Vulnerabilities Allow Attackers to Execute Arbitrary Code Remotely appeared first on Cyber Security News.
CountrySelect Pro is a lightweight vanilla JavaScript country selector that adds a searchable dropdown with…
Editium is a lightweight WYSIWYG editor that supports both React and Vanilla JavaScript with a…
A new open-source edge AI system called π RuView is turning ordinary WiFi infrastructure into…
SELMA, Ala. (AP) — Sixty-one years after state troopers attacked Civil Rights marchers on the…
A Janesville family is creating a scholarship foundation in memory of their son, 14-year-old Kase…
Spoilers follow for Star Trek: Starfleet Academy Episode 9, “300th Night,” which is available on…
This website uses cookies.