Qualcomm: 18 Memory Corruption and Crypto Flaws Disclosed on June 1st
Key findings • 18 vulnerabilities disclosed by Qualcomm on June 1st, 2026. • Predominantly memory corruption flaws affecting Strongbox and fastboot processing. • Several high-severity fla…
Key findings
- 18 vulnerabilities disclosed by Qualcomm on June 1st, 2026.
- Predominantly memory corruption flaws affecting Strongbox and fastboot processing.
- Several high-severity flaws impact cryptographic integrity and bootloader security.
- Vulnerabilities range from buffer overflows to improper input validation.
- Information disclosure issues also present in advertisement frame processing and factory resets.
Qualcomm has addressed a significant batch of 18 vulnerabilities, all disclosed on June 1st, 2026. The disclosures predominantly feature memory corruption issues, with several also touching upon cryptographic weaknesses that could allow for unauthorized modifications to the boot flow or custom bootloader loading. These vulnerabilities span across different functional areas, including Strongbox, fastboot command processing, diagnostic services, and secure data initialization.
The majority of the disclosed vulnerabilities fall under the 'High' severity rating, with CVSS scores ranging from 7.1 to 8.8. A notable cluster of these high-severity flaws, such as CVE-2026-25277 and CVE-2026-25276, are related to memory corruption within the Strongbox component, stemming from issues like buffer overflows and missing bounds checks. These could potentially lead to system instability or compromise.
Another significant group of vulnerabilities, including CVE-2026-24092, CVE-2026-24091, and CVE-2026-24089, are associated with the processing of fastboot commands. These flaws, characterized by memory corruption due to improperly formatted or invalid input, could be exploited to manipulate display modes or execute unauthorized commands during the device boot process.
Furthermore, several vulnerabilities directly impact the boot process and cryptographic integrity. CVE-2026-24090 and CVE-2026-24088 highlight cryptographic issues that could permit unauthorized modification of the boot flow or the loading of custom bootloaders by exploiting vulnerabilities when processing partition table entries or specific partitions.
Other memory corruption vulnerabilities were identified in areas such as shared buffer access without proper validation (CVE-2026-25260), secure data initialization leading to heap memory exhaustion (CVE-2025-59606), and improper handling of device identifier strings (CVE-2025-59605). Medium severity flaws, like CVE-2025-59613, CVE-2025-59612, and CVE-2025-59611, also involve memory corruption in areas like data copying operations, Windows drivers, and diagnostic services due to missing input validation or incorrect trusted application requests.
Information disclosure vulnerabilities were also present, including CVE-2025-59609, which relates to processing malformed advertisement frames, and CVE-2025-59601, allowing unauthorized access to device configuration when resetting to factory default settings via the powerline interface.
Qualcomm has provided patches for these vulnerabilities. Users and device manufacturers are strongly advised to consult Qualcomm's official security bulletins for specific affected product versions and recommended mitigation steps. Prompt application of these patches is crucial to protect devices from potential exploitation, especially given the high severity ratings of many of these flaws.
The sheer volume and the nature of these vulnerabilities, particularly those affecting the boot process and memory integrity, underscore the importance of ongoing security diligence for Qualcomm's chipsets and the devices that utilize them. Staying updated with security advisories and applying patches promptly remains the most effective defense against these types of threats.