CVE-2025-21423

An Array of Problems: Pwning Qualcomm Snapdragon via a Test Mode Backdoor

Alon Barad
Alon Barad
Software Engineer

Jan 2, 2026·7 min read·1 visit

Executive Summary (TL;DR)

A classic out-of-bounds write in a Qualcomm driver function (`EnableTestMode`) allows a local, low-privileged attacker to corrupt kernel memory. This can be exploited for full privilege escalation. The attack vector is a malicious app. If your device is on the affected list and unpatched, you're in for a bad time.

CVE-2025-21423 is a classic memory corruption flaw in a vast range of Qualcomm Snapdragon products, from mobile phones to compute platforms. The vulnerability resides in the handling of 'Escape calls' to an `EnableTestMode` function, a feature likely intended for internal diagnostics. A local attacker with low privileges can supply a malicious array index, triggering an out-of-bounds write. This textbook error (CWE-129) allows for memory corruption that can be leveraged for a full system compromise, including privilege escalation and arbitrary code execution, turning a seemingly harmless app into a powerful spyware implant.

Official Patches

QualcommOfficial April 2025 Security Bulletin

Technical Appendix

CVSS Score
7.8/ 10
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Probability
0.03%
Top 94% most exploited

Affected Systems

Qualcomm Snapdragon Mobile PlatformsQualcomm Snapdragon Compute PlatformsQualcomm FastConnect Wi-Fi/Bluetooth SubsystemsQualcomm Audio Codecs (WCD/WSA series)A vast range of Android smartphones, tablets, and Windows-on-ARM laptops.

Affected Versions Detail

Product
Affected Versions
Fixed Version
Snapdragon 8cx Gen 3 Compute Platform
Qualcomm, Inc.
SC8280XP-AB, BB-
Snapdragon 7c+ Gen 3 Compute
Qualcomm, Inc.
All-
FastConnect 7800
Qualcomm, Inc.
All-
QCM6490
Qualcomm, Inc.
All-
AttributeDetail
CWE IDCWE-129
CWE NameImproper Validation of Array Index
Attack VectorLocal (AV:L)
Privileges RequiredLow (PR:L)
CVSS v3.1 Score7.8 (High)
EPSS Score0.025% (Very Low Probability of Exploitation)
ImpactPrivilege Escalation, Arbitrary Code Execution, Denial of Service
Exploit Statuspoc
KEV StatusNot Listed

MITRE ATT&CK Mapping

T1068Exploitation for Privilege Escalation
Privilege Escalation
CWE-129
Improper Validation of Array Index

The software uses an externally-controlled integer as an index to access an array, but the software fails to validate that the index is within the bounds of the array. This can allow an attacker to read or write to memory outside of the array's boundaries, leading to information disclosure, denial of service, or arbitrary code execution.

Vulnerability Timeline

CVE Published and Qualcomm Security Bulletin Released.
2025-04-07
CVE record updated by MITRE.
2025-04-08
CISA includes the vulnerability in its weekly bulletin.
2025-04-14
NVD entry last modified.
2025-08-19