Critical CVE-2025-21483 & CVE-2025-27034 in Qualcomm Modems Score CVSS 9.8

Qualcomm has published its September 2025 Security Bulletin, addressing a wide range of vulnerabilities across its chipsets, connectivity stacks, and automotive platforms. In total, dozens of flaws were patched, with two of them rated Critical (CVSS 9.8) due to their potential for remote code execution.

The first critical flaw, CVE-2025-21483, exists in the Data Network Stack & Connectivity components. Qualcomm describes it as “memory corruption when the UE receives an RTP packet from the network, during the reassembly of NALUs.”

This vulnerability (CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer) can be triggered remotely, without authentication or user interaction. With a CVSS score of 9.8 (Critical), successful exploitation could allow attackers to execute arbitrary code, compromise device integrity, and crash affected systems.

A wide range of chipsets are affected, including Snapdragon 8 Gen 1/2/3 platforms, Snapdragon 865/870/888/8+ Gen 1, Snapdragon 480/695/780G/782G mobile platforms, and numerous FastConnect, QCM, and automotive SoCs.

The second critical vulnerability, CVE-2025-27034, impacts the Multi-Mode Call Processor. Qualcomm explains: “Memory corruption while selecting the PLMN from SOR failed list.”

This flaw (CWE-129: Improper Validation of Array Index) is also remotely exploitable, requiring no privileges or user interaction. It carries the same CVSS 9.8 rating as CVE-2025-21483, meaning attackers could potentially achieve remote code execution within modem or telephony components, opening the door to call hijacking, data theft, or persistent malware installation.

Impacted hardware includes Snapdragon X70/X72/X75 modem-RF systems, Snapdragon 8 Gen platforms, Snapdragon Auto 5G modems, and numerous QCM/QCS chipsets.

Beyond the two critical issues, Qualcomm patched multiple High severity flaws affecting:

• Core & HLOS – Memory corruption issues in core OS components.
• Hypervisor – Flaws enabling potential VM escapes.
• Automotive QNX platform – Several high-impact vulnerabilities in infotainment and in-vehicle networking.
• WLAN, Bluetooth, and Camera subsystems – Risks of crashes or potential privilege escalation.

Additionally, a number of Medium severity vulnerabilities were fixed in areas such as video processing, which could be leveraged for denial-of-service (DoS) attacks.

With two Critical CVSS 9.8 vulnerabilities exposing millions of devices to potential remote code execution, OEMs and end-users alike are strongly urged to deploy firmware updates immediately.

Related Posts:

• MediaTek September 2025 Security Bulletin: High-Severity Modem Flaws Could Enable Remote Attacks
• Microsoft to Unveil New Copilot+ PC and Surface Device
• MediaTek May 2025 Security Bulletin: Chipset Vulnerabilities Disclosed