Recent discoveries have unveiled two critical vulnerabilities within Qualcomm Technologies’ proprietary components, specifically the Data Network Stack and Multi-Mode Call Processor. These flaws, identified as CVE-2025-21483 and CVE-2025-27034, each possess a Common Vulnerability Scoring System (CVSS) score of 9.8, indicating their severe impact on device security. Exploitation of these vulnerabilities allows remote attackers to execute arbitrary code, potentially compromising a wide range of devices, including smartphones, IoT devices, and automotive systems.
CVE-2025-21483: Remote Heap Buffer Overflow
The vulnerability CVE-2025-21483 is located within Qualcomm’s Real-time Transport Protocol (RTP) packet reassembly process in the Data Network Stack & Connectivity module. An attacker can craft a malicious RTP packet that triggers a heap-based buffer overflow by overrunning the NALU reassembly buffer. This flaw requires no user interaction and can be exploited remotely, granting attackers full control over affected chipsets. Notably, this includes Snapdragon 8 Gen1, Snapdragon 8 Gen2, FastConnect 7800, and numerous other platforms. Successful exploitation can lead to arbitrary code execution at the kernel level, jeopardizing data confidentiality, integrity, and availability.
CVE-2025-27034: Improper Array Index Validation Flaw
CVE-2025-27034 arises from improper validation of an array index in the Multi-Mode Call Processor. Attackers can send a malformed Public Land Mobile Network (PLMN) selection response that corrupts memory during index parsing. This vulnerability is exploitable over the network without requiring elevated privileges. Affected platforms encompass the Snapdragon X55 5G Modem-RF System, Snapdragon 8 Gen1, QCM5430, and various IoT and automotive modems. Exploiting this flaw enables arbitrary code execution with escalated privileges, posing significant risks to device security.
Mitigation Measures
In response to these vulnerabilities, Qualcomm has released patches and distributed them directly to Original Equipment Manufacturers (OEMs), urging immediate deployment. The recommended course of action includes integrating the proprietary software updates provided in the September 2025 Security Bulletin and ensuring the implementation of robust bounds-checking routines.
Device manufacturers are advised to promptly update firmware to eliminate the attack vectors associated with CVE-2025-21483’s RTP parser and CVE-2025-27034’s array index logic. Security experts emphasize the importance of monitoring CVSS strings and employing network filtering as interim protective measures. Administrators should block unexpected RTP streams and PLMN selection traffic until the patched firmware is installed. Additionally, implementing strict Security-Enhanced Linux (SELinux) policies on Android platforms can further restrict exploit attempts.
Stakeholders are encouraged to audit firmware versions, apply patches without delay, and maintain vigilant network monitoring to defend against these high-severity exploits. Qualcomm customers and end-users should contact their device manufacturers or visit Qualcomm’s support portal for detailed patch instructions and information on chipset coverage.
