{"id":36250,"date":"2026-05-23T04:21:29","date_gmt":"2026-05-22T17:21:29","guid":{"rendered":"https:\/\/www.kaspersky.com.au\/blog\/?p=36250"},"modified":"2026-05-23T04:21:29","modified_gmt":"2026-05-22T17:21:29","slug":"qualcomm-cve-2026-25262","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com.au\/blog\/qualcomm-cve-2026-25262\/36250\/","title":{"rendered":"Qualcomm vulnerability: phone repairs and car maintenance are no longer safe"},"content":{"rendered":"

Imagine handing your smartphone over for repair. A couple of days later, you pick it up \u2014 and great, it\u2019s working again! But you won\u2019t even realize that your device has been injected with malicious code, allowing attackers to access your smartphone even when it\u2019s locked.<\/p>\n

This is the beginning of the story shared by Kaspersky ICS CERT researchers, Alexander Kozlov and Sergey Anufrienko, at the Black Hat Asia 2026 conference<\/a>. They managed to uncover a vulnerability that flips conventional assumptions about smartphone and IoT security on their head. Its core lies at the very heart of Qualcomm chips.<\/p>\n

What is BootROM?<\/h2>\n

To grasp the severity of this discovery, we first need to look at how a modern device powered by a Qualcomm chip boots up. Think of it as a fortress with multiple layers of security. Each subsequent layer verifies the pass issued by the previous one. The bedrock foundation \u2014 the most trusted layer of them all \u2014 is the BootROM, a read-only memory baked directly into the silicon that can\u2019t be modified once it comes off the fab<\/a>.<\/p>\n

The BootROM is the very first thing to run when a device powers on. It verifies the signature of the next bootloader, which in turn verifies the next, building a chain of trust all the way up to the operating system. If an attacker can compromise this chain at the BootROM level, it\u2019s game over: the malicious code will execute before the main operating system even has a chance to load.<\/p>\n

This is exactly what attackers can do by exploiting the CVE-2026-25262<\/a> vulnerability discovered by Kaspersky ICS CERT researchers.<\/p>\n

Emergency Download Mode as an entry point<\/h2>\n

The research began with a protocol called Sahara. This is a component of Emergency Download Mode (EDL). Manufacturers and service centers use it to revive bricked devices: the phone is connected to a computer via USB, and a special utility program signed by the manufacturer (in this case, Qualcomm) is uploaded to it.<\/p>\n

Sahara is implemented directly within the ARM PBL (Primary Boot Loader) \u2014 the BootROM itself. This means the protocol runs before any operating system boots, before any user access privileges are checked, and before any security controls are activated. The device simply waits for a USB connection, ready to accept data.<\/p>\n

The communication scheme looks simple: the device sends a handshake (HELLO) to the computer, the computer selects the mode, a cycle begins to upload the utility program in chunks, and finally, the device executes the uploaded code. And it was within the verification logic of these very file chunks that the vulnerability was identified.<\/p>\n

Write-what-where: the core of the vulnerability<\/h2>\n

In technical terms, the bug introduced by the developers is classified as CWE-123: Write-What-Where Condition. This is about as bad as it gets when it comes to flaws in low-level programming. An attacker can write arbitrary data to an arbitrary address in the device memory.<\/p>\n

Without diving too deep into the technical weeds, suffice it to say that by exploiting the discovered vulnerability, attackers can gain access to any data on the device, including user-entered passwords, files, contacts, geolocation data, as well as the hardware sensors like the camera and microphone. In certain scenarios, complete control over the device is possible. Just a few minutes of physical access to the device via a cable connection, and the gadget has been compromised. This creates a risk if you hand your smartphone over to a repair shop, pass it to someone else to set up and install apps on, or just leave it unattended.<\/p>\n

Which devices are affected<\/h2>\n

The CVE-2026-25262 vulnerability affects the following Qualcomm chip series: MDM9x07, MDM9x45, MDM9x65, MSM8909, MSM8916, MSM8952, and SDX50 \u2014 every single version released to date, until the vulnerability is patched by the manufacturer.<\/p>\n

These are no obsolete museum pieces. The MDM9207, which we used for the bulk of our research, is integrated into modem modules for the internet of things (IoT), industrial equipment, smart home devices, healthcare monitoring systems, logistics trackers, and banking terminals. The MSM8916 powers many budget smartphones<\/a>, while the SDX50 is used in automotive control units.<\/p>\n

How vulnerable devices get attacked<\/h2>\n

The catch is that the attacker needs physical access to the device to pull this off. In the real world, this translates to:<\/p>\n