Use After Free in NPU_CVE-2025-21458

7.8 / 10

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Description

Memory corruption when IOCTL interface is called to map and unmap buffers simultaneously.

Basic Information

ID CVE-2025-21458

Source qualcomm

Published Aug 6, 2025 at 07:25

Modified Aug 6, 2025 at 14:37

Affected Product

Vendor Qualcomm, Inc.

Product Snapdragon

Version FastConnect 6900

Affected Versions Qualcomm, Inc. Snapdragon FastConnect 6900
Qualcomm, Inc. Snapdragon QAM8255P
Qualcomm, Inc. Snapdragon QAM8650P
Qualcomm, Inc. Snapdragon QAM8775P
Qualcomm, Inc. Snapdragon QCA6174A
Qualcomm, Inc. Snapdragon QCA6698AQ
Qualcomm, Inc. Snapdragon QCA6797AQ
Qualcomm, Inc. Snapdragon SA7255P
Qualcomm, Inc. Snapdragon SA7775P
Qualcomm, Inc. Snapdragon SA8255P
Qualcomm, Inc. Snapdragon SA8620P
Qualcomm, Inc. Snapdragon SA8650P
Qualcomm, Inc. Snapdragon SA8775P
Qualcomm, Inc. Snapdragon SA9000P
Qualcomm, Inc. Snapdragon Snapdragon 888 5G Mobile Platform
Qualcomm, Inc. Snapdragon Snapdragon 888+ 5G Mobile Platform (SM8350-AC)
Qualcomm, Inc. Snapdragon SW5100
Qualcomm, Inc. Snapdragon SW5100P
Qualcomm, Inc. Snapdragon WCD9380
Qualcomm, Inc. Snapdragon WCD9385
Qualcomm, Inc. Snapdragon WCN3980
Qualcomm, Inc. Snapdragon WCN3988
Qualcomm, Inc. Snapdragon WSA8830
Qualcomm, Inc. Snapdragon WSA8835

CWE Classification

CWE-416

References

docs.qualcomm.com /product/publicresources/securitybulletin/august-2025-bulletin.html

{
    "lastseen": "",
    "description": "Memory corruption when IOCTL interface is called to map and unmap buffers simultaneously.",
    "published": "2025-08-06T07:25:51.371Z",
    "modified": "2025-08-06T14:37:14.645Z",
    "type": "cve",
    "title": "Use After Free in NPU",
    "source": "qualcomm",
    "references": "https://docs.qualcomm.com/product/publicresources/securitybulletin/august-2025-bulletin.html",
    "id": "CVE-2025-21458",
    "bulletinFamily": "",
    "cwe": [
        "CWE-416"
    ],
    "cvelist": null,
    "sourceData": "Qualcomm, Inc. Snapdragon FastConnect 6900\nQualcomm, Inc. Snapdragon QAM8255P\nQualcomm, Inc. Snapdragon QAM8650P\nQualcomm, Inc. Snapdragon QAM8775P\nQualcomm, Inc. Snapdragon QCA6174A\nQualcomm, Inc. Snapdragon QCA6698AQ\nQualcomm, Inc. Snapdragon QCA6797AQ\nQualcomm, Inc. Snapdragon SA7255P\nQualcomm, Inc. Snapdragon SA7775P\nQualcomm, Inc. Snapdragon SA8255P\nQualcomm, Inc. Snapdragon SA8620P\nQualcomm, Inc. Snapdragon SA8650P\nQualcomm, Inc. Snapdragon SA8775P\nQualcomm, Inc. Snapdragon SA9000P\nQualcomm, Inc. Snapdragon Snapdragon 888 5G Mobile Platform\nQualcomm, Inc. Snapdragon Snapdragon 888+ 5G Mobile Platform (SM8350-AC)\nQualcomm, Inc. Snapdragon SW5100\nQualcomm, Inc. Snapdragon SW5100P\nQualcomm, Inc. Snapdragon WCD9380\nQualcomm, Inc. Snapdragon WCD9385\nQualcomm, Inc. Snapdragon WCN3980\nQualcomm, Inc. Snapdragon WCN3988\nQualcomm, Inc. Snapdragon WSA8830\nQualcomm, Inc. Snapdragon WSA8835",
    "sourceHref": "",
    "cvss": {
        "score": 7.8,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Snapdragon",
    "version": "FastConnect 6900",
    "vendor": "Qualcomm, Inc.",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}