Ddos 
Qualcomm has released its May 2026 Security Bulletin, disclosing a series of high-impact vulnerabilities across its proprietary software and hardware components. The bulletin highlights several Critical vulnerabilities that could allow for unauthorized remote access and memory corruption on millions of devices powered by Qualcomm chipsets.
The company is actively sharing patches with Original Equipment Manufacturers (OEMs) and has strongly recommended that they deploy these updates to released devices as soon as possible.
The most severe vulnerability addressed this month is CVE-2026-25254, which carries a CVSS score of 9.8. Found in the Qualcomm Software Center, this “Critical” rated flaw involves improper authorization within the SocketIO interface.
- Vulnerability Type: Improper Authorization (CWE-285).
- Impact: This flaw leads directly to Remote Code Execution (RCE).
- Access Vector: Remote.
- Affected Versions: QSC v1.17.1, v1.19.1, and v1.21.0.
By exploiting this interface, an attacker could potentially execute malicious commands without needing local access to the device.
Another critical concern resides at the very foundation of device security: the Primary Bootloader. Tracked as CVE-2026-25262, this “Write-what-where” condition occurs while the system processes a crafted ELF (Executable and Linkable Format) file.
While this attack requires local access, the result is significant memory corruption that compromises the boot integrity. This issue affects a broad range of legacy and specialized chipsets, including the MSM8909, MSM8916, and SDX50.
Qualcomm also patched a critical vulnerability in its PLC (Power Line Communication) Firmware, tracked as CVE-2026-25293. With a CVSS score of 9.6, this flaw is caused by incorrect authorization that leads to a buffer overflow.
Like the Software Center flaw, this vulnerability is remotely accessible and affects the QCA7005 chipset. The severity is amplified because the exploit can cross security boundaries to impact the entire system.
Because Qualcomm provides the underlying technology to various smartphone and IoT manufacturers, users cannot patch these issues directly. You must wait for your device manufacturer (OEM) to release a system update.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
