IoT, Potential Risk of CVE

CVE-2025-47372: Buffer Copy Without Checking Size of Input in Boot (5th Dec-2025)

Leave a comment

Qualcomm – Official announcement: 1st Dec 2025

Quote: I chose a Qualcomm product affected by this vulnerability as an example. The Snapdragon Ride™ Flex SoC, including the SA9000P series, does not run on a single embedded OS, but rather supports mixed-criticality operating systems such as those provided by Qualcomm’s partners or the automaker themselves.

Preface: Secure boot is defined as a boot sequence in which each software image to be executed is authenticated by software that was previously verified. This sequence is designed to prevent unauthorized or modified code from being run. Our chain of trust is built according to this definition, starting with the first piece of immutable software to be run out of read-only-memory (ROM). This first ROM bootloader cryptographically verifies the signature of the next bootloader in the chain, then that bootloader cryptographically verifies the signature of the next software image or images, and so on.

Background: Unlike other signed software images, the signature for Qualcomm Technologies signed images is only computed over a single segment in the image and not the entire image. The segment containing the signature is called the hash segment. This hash segment is a collection of the hash values of the other ELF segments that are included in the image. In other words we sign the collection of ELF segment hashes, rather than signing the entire ELF image. This representation is designed to relax memory size requirements and increases flexibility during loading.

Vulnerability details: The vulnerability described (CVE-2025-47372) is a heap overflow caused by reading an oversized ELF image into a buffer without proper bounds checking or authentication.

•       The overflow occurs during the write operation, before free() is called.

•       Once data exceeds the allocated size, adjacent memory is already corrupted.

•       Freeing memory only releases the block back to the allocator; it cannot undo corruption or prevent exploitation.

Official announcement: Please refer to the link for details

https://docs.qualcomm.com/product/publicresources/securitybulletin/december-2025-bulletin.html

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.