CVEReports
CVEReports

Automated vulnerability intelligence platform. Comprehensive reports for high-severity CVEs generated by AI.

Product

  • Home
  • Sitemap
  • RSS Feed

Company

  • About
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CVEReports. All rights reserved.

Made with love by Amit Schendel & Alon Barad



CVE-2025-21423

Kernel Memory Corruption in Qualcomm Display Driver via Unvalidated Array Index in EnableTestMode

Alon Barad
Alon Barad
Software Engineer

Mar 1, 2026·6 min read·19 visits

Executive Summary (TL;DR)

CVE-2025-21423 is a local privilege escalation vulnerability in Qualcomm's Display driver used in Snapdragon devices. It allows a local attacker to corrupt kernel memory by passing an unchecked array index to the `EnableTestMode` function. This affects Android devices and Windows-on-ARM laptops. There are no known active exploits, but the complexity to exploit is low.

A high-severity memory corruption vulnerability exists in the Qualcomm Display driver, affecting a broad range of Snapdragon Compute, Connectivity, and IoT platforms. The flaw resides in the handling of the `EnableTestMode` command, which is exposed to user-space applications via the driver's Escape interface. By supplying a crafted index value within the input buffer, a local attacker can trigger an out-of-bounds memory access (CWE-129). This primitive can be leveraged to corrupt kernel memory structures, leading to a Denial of Service (DoS) or, more critically, local privilege escalation to kernel level.

Vulnerability Overview

The Qualcomm Display driver serves as the interface between the operating system kernel and the display hardware subsystem. To support diagnostics and factory testing, the driver exposes a set of 'Escape' calls—vendor-specific extensions to the standard graphics driver API (such as D3DKMTEscape on Windows or specific ioctl commands on Linux/Android). These interfaces allow user-mode clients to send opaque command buffers directly to the kernel-mode driver.

The vulnerability, identified as CVE-2025-21423, is located specifically within the handler for the EnableTestMode command. This function is designed to activate specific diagnostic configurations based on user input. However, the mechanism used to select these configurations lacks robust input validation, creating a direct path for memory corruption.

Because graphics drivers typically have a wide attack surface and are accessible to low-privileged applications (to support rendering), this vulnerability presents a significant risk. It allows a compromised low-privileged process—such as a malicious app or a browser renderer process that has achieved a sandbox escape—to attack the kernel directly.

Root Cause Analysis

The root cause of this vulnerability is an Improper Validation of Array Index (CWE-129). The EnableTestMode function retrieves an integer index from the user-supplied input buffer and uses it to reference an internal array of test mode configuration structures or function pointers.

In the vulnerable code path, the driver fails to verify that the user-supplied index is strictly less than the maximum number of defined test modes. The driver logic assumes the client will provide a valid index. This is a classic 'Time-of-Check to Time-of-Use' (TOCTOU) or missing bounds check scenario where untrusted data controls control flow or memory access.

When an attacker provides an index that exceeds the array's bounds, the driver calculates a memory address outside the intended data structure. If this operation is a read, it may leak adjacent kernel memory (information disclosure). If it is a write—for example, setting a 'mode active' flag—it results in memory corruption. Given the context of 'Enabling' a mode, the operation likely involves writing state data to the calculated address, making this a kernel memory corruption primitive.

Technical Code Analysis

While the exact proprietary source code is not public, the vulnerability follows a standard pattern often seen in driver dispatch routines. Below is a reconstruction of the vulnerable logic versus the remediated code path.

Vulnerable Logic

In the vulnerable version, the driver extracts the TestModeIndex and immediately uses it for pointer arithmetic.

NTSTATUS QclDisplayDispatchEscape(PVOID InputBuffer, ULONG InputSize) {
    // Cast input to expected structure
    PTEST_MODE_CMD cmd = (PTEST_MODE_CMD)InputBuffer;
 
    // VULNERABILITY: No check against MAX_TEST_MODES
    // The attacker controls cmd->TestModeIndex (e.g., 0xFFFFFFFF or large positive int)
    
    PTEST_CONFIG config = &GlobalTestModeArray[cmd->TestModeIndex];
    
    // Write to kernel memory (Corruption)
    config->IsEnabled = TRUE;
    config->Flags = cmd->Flags;
    
    return STATUS_SUCCESS;
}

Remediated Logic

The patch introduces a strict boundary check before the index is used. This ensures that the pointer arithmetic yields a valid address within the GlobalTestModeArray.

NTSTATUS QclDisplayDispatchEscape(PVOID InputBuffer, ULONG InputSize) {
    PTEST_MODE_CMD cmd = (PTEST_MODE_CMD)InputBuffer;
 
    // FIX: Validate index against the array size
    if (cmd->TestModeIndex >= MAX_TEST_MODES) {
        return STATUS_INVALID_PARAMETER;
    }
 
    // Safe access
    PTEST_CONFIG config = &GlobalTestModeArray[cmd->TestModeIndex];
    
    config->IsEnabled = TRUE;
    config->Flags = cmd->Flags;
    
    return STATUS_SUCCESS;
}

This simple validation effectively neutralizes the attack vector by rejecting malformed requests before any memory operation occurs.

Exploitation Methodology

Exploitation of CVE-2025-21423 requires local code execution on the target device. The attack chain typically proceeds as follows:

  1. Interface Enumeration: The attacker identifies the handle to the display device. On Windows, this involves opening the GDI adapter; on Android, it involves opening the framebuffer or DRM device nodes (/dev/dri/card0).
  2. Escape Call Crafting: The attacker constructs a specifically formatted buffer matching the structure expected by the EnableTestMode handler. The critical payload is the TestModeIndex integer.
  3. Heap Grooming (Optional but likely): To maximize reliability, the attacker might perform heap spraying or grooming to ensure that the memory immediately following the GlobalTestModeArray contains sensitive data structures (like a process token or a function pointer table).
  4. Triggering the Corruption: The attacker invokes the Escape system call. The driver uses the OOB index to calculate a target address relative to the array base.
  5. Privilege Escalation:
    • Data-Only Attack: The attacker targets a structure like _SEP_TOKEN_PRIVILEGES (on Windows) or cred struct (on Linux/Android) to grant the current process elevated capabilities (e.g., SeDebugPrivilege or CAP_SYS_ADMIN).
    • Control Flow Hijacking: If the corruption overwrites a function pointer, the attacker can redirect execution to a ROP chain or shellcode (though Supervisor Mode Execution Prevention (SMEP) makes this harder, necessitating data-only attacks).

Impact Assessment

The impact of this vulnerability is rated High (CVSS 7.8).

Confidentiality & Integrity: Successful exploitation allows arbitrary modification of kernel memory. This is sufficient to bypass OS security controls, disable code signing enforcement, or extract encryption keys stored in kernel memory.

Availability: Improper usage of the OOB index can access unmapped memory pages, triggering a page fault in kernel mode. This results in an immediate system crash (Blue Screen of Death on Windows or Kernel Panic on Linux), causing a Denial of Service.

Scope: The vulnerability affects both mobile devices (Android smartphones using Snapdragon chips) and Always-Connected PCs (Windows on Snapdragon). This makes the blast radius significant, covering millions of consumer and enterprise devices.

Remediation & Mitigation

There are no viable workarounds for this vulnerability that do not involve patching, as disabling the display driver is not feasible for device operation. Remediation relies entirely on vendor updates.

For End Users:

  • Windows-on-ARM: Check Windows Update for firmware/driver updates. Look for 'Qualcomm System' or 'Display' driver updates released after April 2025.
  • Android: Install the Android Security Patch Level (SPL) matching the OEM's release timeline (typically included in the monthly security bulletin updates).

For Enterprise Administrators:

  • Deploy forced compliance policies to ensure devices (especially Snapdragon-based laptops like Surface Pro X or ThinkPad X13s) are running the latest driver versions.
  • Monitor EDR logs for abnormal D3DKMTEscape calls, although detection at this granularity is difficult without specific driver instrumentation.

Official Patches

QualcommQualcomm April 2025 Security Bulletin

Technical Appendix

CVSS Score
7.8/ 10
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Probability
0.07%
Top 79% most exploited

Affected Systems

Snapdragon 8cx Gen 3 (Compute Platform)Snapdragon 8cx Gen 2 (Compute Platform)Snapdragon 7c+ Gen 3 (Compute Platform)Snapdragon 8 Gen Series (Mobile)Qualcomm FastConnect 6900/7800Qualcomm WCD9385 Audio Codec

Affected Versions Detail

Product
Affected Versions
Fixed Version
Snapdragon Compute Platforms
Qualcomm
All versions prior to April 2025 PatchApril 2025 Patch Level
Snapdragon Mobile Platforms
Qualcomm
All versions prior to April 2025 PatchApril 2025 Patch Level
AttributeDetail
CWE IDCWE-129 (Improper Validation of Array Index)
CVSS v3.17.8 (High)
Attack VectorLocal (AV:L)
Privileges RequiredLow (PR:L)
Exploit StatusNo Known Exploited Vulnerability (KEV)
EPSS Score0.07% (Low Probability)

MITRE ATT&CK Mapping

T1068Exploitation for Privilege Escalation
Privilege Escalation
T1211Exploitation for Defense Evasion
Defense Evasion
CWE-129
Improper Validation of Array Index

The product uses untrusted input as an index into an array, but it does not validate or incorrectly validates that the index is within the boundaries of the array.

Vulnerability Timeline

Vulnerability published by Qualcomm in April 2025 Security Bulletin
2025-04-07
CVE-2025-21423 assigned and published to NVD
2025-04-07
Included in CISA Weekly Bulletin SB25-104
2025-04-14
NVD record updated with comprehensive affected product configurations
2025-08-19

References & Sources

  • [1]NVD - CVE-2025-21423 Detail
  • [2]CISA Weekly Vulnerability Summary SB25-104

More Reports

•about 8 hours ago•CVE-2025-6965
7.7

CVE-2025-6965: Remote Code Execution via Integer Truncation in SQLite Aggregate Parser

An integer truncation vulnerability (CWE-197) exists in SQLite before version 3.50.2 during the processing of aggregate queries with more than 32,767 distinct column references. This causes an internal 32-bit counter to truncate to a signed 16-bit integer, producing negative values that cause out-of-bounds heap operations in release builds.

Amit Schendel
Amit Schendel
8 views•6 min read
•about 23 hours ago•CVE-2026-47291
9.8

CVE-2026-47291: Remote Code Execution in Windows HTTP.sys Kernel Driver

An integer overflow vulnerability in the Windows kernel-mode HTTP driver (HTTP.sys) allows an unauthenticated remote attacker to execute arbitrary code with kernel privileges or cause a Denial of Service via a specially crafted sequence of HTTP request headers.

Amit Schendel
Amit Schendel
15 views•8 min read
•1 day ago•CVE-2026-11822
7.8

CVE-2026-11822: Memory Corruption and Buffer Overflow in SQLite FTS5 Extension

A memory corruption vulnerability exists in the FTS5 (Full-Text Search 5) extension of SQLite prior to version 3.53.2. An attacker can construct a malicious database file containing corrupt FTS5 page data. Querying this database triggers out-of-bounds reads and heap-based buffer overflows, potentially causing a crash or arbitrary code execution.

Amit Schendel
Amit Schendel
7 views•5 min read
•1 day ago•CVE-2026-56350
6.3

CVE-2026-56350: SSO Enforcement Bypass in n8n via API Parameter Pollution / Mass Assignment

A mass assignment vulnerability (CWE-915) in n8n's self-service settings API endpoint (PATCH /me/settings) allows authenticated Single Sign-On (SSO) users to disable SSO enforcement for their accounts by injecting administrative parameters. This bypasses organizational identity provider controls and multi-factor authentication (MFA).

Amit Schendel
Amit Schendel
8 views•6 min read
•5 days ago•CVE-2026-55699
6.5

CVE-2026-55699: Arbitrary Directory Deletion via Path Traversal in pnpm globalBinDir Resolver

CVE-2026-55699 (also identified as GHSA-4gxm-v5v7-fqc4) is a critical path traversal and arbitrary directory deletion vulnerability in the pnpm package manager. The issue exists because the manifest validation process fails to prevent relative path segments within the package 'bin' keys. When a malicious package containing structured path traversal markers is globally installed and later manipulated, pnpm resolves the target paths through path.join() and passes the resolved paths to a recursive deletion function, resulting in arbitrary directory removal.

Amit Schendel
Amit Schendel
23 views•6 min read
•5 days ago•CVE-2026-55700
7.1

CVE-2026-55700: Path Traversal and Arbitrary File Write in pnpm stage download

A path traversal vulnerability in pnpm stage download allows malicious registries or compromised package manifests to overwrite arbitrary files on the victim's filesystem via unvalidated package name and version fields.

Alon Barad
Alon Barad
16 views•4 min read