Potential Risk of CVE

CVE-2025-47373: About Qualcomm – Fixed a typical type Confusion or an Improper Bounds Check within the firmware’s protocol stack. (5th Mar 2026)

Leave a comment

Preface: 5G Timing Advance (TA) invocation is a mechanism where the base station (gNB) instructs user equipment (UE) to advance its uplink transmission timing to compensate for signal propagation delays. This synchronization ensures that signals from UEs at different distances arrive at the gNB within the same time slot, preventing interference.

Background: In the 5G NR (New Radio) 4-step RACH (Random Access Channel) procedure, TA (Timing Advance) is a critical parameter provided within Msg2, also known as the Random Access Response (RAR). For NR Random Access Response (Msg2):

RAR payload = exactly 7 bytes (56 bits)

  • 12-bit Timing Advance Command
  • 27-bit Uplink Grant
  • 16-bit Temporary C-RNTI

Plus 1 byte MAC subheader (RAPID)

Total bytes read by UE MAC = 8 bytes per RAR

This is fixed by spec. There is no variable-length TA field in Msg2. The TA length is always 12 bits in RAR

Vulnerability details: CVE-2025-47373. This is a classic case of Type Confusion or an Improper Bounds Check within the firmware’s protocol stack. In the context of Qualcomm modem components (like those in the Snapdragon 8 Gen 3), when the firmware confuses these two differently-sized TA fields, it creates a significant security vulnerability.

Why this constitutes a CVE Vulnerability? If the firmware reuses the same handler or buffer without validating the context (RAR vs. MAC CE), it leads to:

  • Integer Overflow/Truncation: Forcing a 12-bit RAR TA (up to 3846) into a logic path or variable expected to be 6-bit (0-63) causes data corruption in the accumulator.
  • Buffer Overflow: If the 12-bit data is written into a memory structure (like a bit-field or a small array) designed only for 6-bit values, it will overwrite adjacent memory.
  • Out-of-bounds (OOB) Write: In the Snapdragon scheduling logic, TA values are often used to calculate offsets in timing tables. An unvalidated 12-bit value can cause a pointer to point outside the intended buffer.

Official announcement: Please refer to the link for details –

https://docs.qualcomm.com/securitybulletin/march-2026-bulletin.html

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.