CVE-2026-21382 - Vulnerability Details - OpenCVE

Memory Corruption when handling power management requests with improperly sized input/output buffers.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Exploitation none

Automatable no

Technical Impact total

Vendors	Products
Qualcomm Subscribe	Snapdragon Subscribe

No data.

No data.

OpenCVE Enrichment is a feature of OpenCVE that uses AI to automatically link vendors and products to CVEs. Learn more on GitHub.

Vendors	Products
Qualcomm Subscribe	Snapdragon Subscribe

Advisories

No advisories yet.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://docs.qualcomm.com/product/publicresources/securitybulletin/april-2026-bulletin.html

History

Tue, 07 Apr 2026 00:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Qualcomm Qualcomm snapdragon
Vendors & Products		Qualcomm Qualcomm snapdragon

Mon, 06 Apr 2026 18:00:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Mon, 06 Apr 2026 16:45:00 +0000

Type	Values Removed	Values Added
Description		Memory Corruption when handling power management requests with improperly sized input/output buffers.
Title		Buffer Copy Without Checking Size of Input in Power Management IC
Weaknesses		CWE-120
References		https://docs.qualcomm.com/product/publicresources/securitybulletin/april-2026-bulletin.html
Metrics		cvssV3_1 `{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}`

Projects

Sign in to view the affected projects.

MITRE

Status: PUBLISHED

Assigner: qualcomm

Published: 2026-04-06T15:33:56.950Z

Updated: 2026-04-07T03:55:57.569Z

Reserved: 2025-12-17T04:35:45.743Z

Link: CVE-2026-21382

Vulnrichment

Updated: 2026-04-06T16:14:20.589Z

NVD

Status : Awaiting Analysis

Published: 2026-04-06T16:16:31.527

Modified: 2026-04-07T13:20:11.643

Link: CVE-2026-21382

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-06T21:31:55Z

Weaknesses

CWE-120

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-21382", "assignerOrgId": "2cfc7d3e-20d3-47ac-8db7-1b7285aff15f", "state": "PUBLISHED", "assignerShortName": "qualcomm", "dateReserved": "2025-12-17T04:35:45.743Z", "datePublished": "2026-04-06T15:33:56.950Z", "dateUpdated": "2026-04-07T03:55:57.569Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "platforms": ["Snapdragon Compute", "Snapdragon Industrial IOT"], "product": "Snapdragon", "vendor": "Qualcomm, Inc.", "versions": [{"status": "affected", "version": "Cologne"}, {"status": "affected", "version": "FastConnect 6900"}, {"status": "affected", "version": "FastConnect 7800"}, {"status": "affected", "version": "QCA0000"}, {"status": "affected", "version": "SC8380XP"}, {"status": "affected", "version": "WCD9378C"}, {"status": "affected", "version": "WCD9380"}, {"status": "affected", "version": "WCD9385"}, {"status": "affected", "version": "WSA8840"}, {"status": "affected", "version": "WSA8845"}, {"status": "affected", "version": "WSA8845H"}, {"status": "affected", "version": "X2000077"}, {"status": "affected", "version": "X2000086"}, {"status": "affected", "version": "X2000090"}, {"status": "affected", "version": "X2000092"}, {"status": "affected", "version": "X2000094"}, {"status": "affected", "version": "XG101002"}, {"status": "affected", "version": "XG101032"}, {"status": "affected", "version": "XG101039"}]}], "descriptions": [{"lang": "en", "value": "Memory Corruption when handling power management requests with improperly sized input/output buffers."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-120", "description": "CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "2cfc7d3e-20d3-47ac-8db7-1b7285aff15f", "shortName": "qualcomm", "dateUpdated": "2026-04-06T15:33:56.950Z"}, "references": [{"url": "https://docs.qualcomm.com/product/publicresources/securitybulletin/april-2026-bulletin.html"}], "title": "Buffer Copy Without Checking Size of Input in Power Management IC"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-06T00:00:00+00:00", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3", "id": "CVE-2026-21382"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-07T03:55:57.569Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-21382", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-06T16:12:45.825335Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-06T16:14:20.589Z"}}], "cna": {"title": "Buffer Copy Without Checking Size of Input in Power Management IC", "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Qualcomm, Inc.", "product": "Snapdragon", "versions": [{"status": "affected", "version": "Cologne"}, {"status": "affected", "version": "FastConnect 6900"}, {"status": "affected", "version": "FastConnect 7800"}, {"status": "affected", "version": "QCA0000"}, {"status": "affected", "version": "SC8380XP"}, {"status": "affected", "version": "WCD9378C"}, {"status": "affected", "version": "WCD9380"}, {"status": "affected", "version": "WCD9385"}, {"status": "affected", "version": "WSA8840"}, {"status": "affected", "version": "WSA8845"}, {"status": "affected", "version": "WSA8845H"}, {"status": "affected", "version": "X2000077"}, {"status": "affected", "version": "X2000086"}, {"status": "affected", "version": "X2000090"}, {"status": "affected", "version": "X2000092"}, {"status": "affected", "version": "X2000094"}, {"status": "affected", "version": "XG101002"}, {"status": "affected", "version": "XG101032"}, {"status": "affected", "version": "XG101039"}], "platforms": ["Snapdragon Compute", "Snapdragon Industrial IOT"], "defaultStatus": "unaffected"}], "references": [{"url": "https://docs.qualcomm.com/product/publicresources/securitybulletin/april-2026-bulletin.html"}], "descriptions": [{"lang": "en", "value": "Memory Corruption when handling power management requests with improperly sized input/output buffers."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-120", "description": "CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow')"}]}], "providerMetadata": {"orgId": "2cfc7d3e-20d3-47ac-8db7-1b7285aff15f", "shortName": "qualcomm", "dateUpdated": "2026-04-06T15:33:56.950Z"}}}, "cveMetadata": {"cveId": "CVE-2026-21382", "state": "PUBLISHED", "dateUpdated": "2026-04-07T03:55:57.569Z", "dateReserved": "2025-12-17T04:35:45.743Z", "assignerOrgId": "2cfc7d3e-20d3-47ac-8db7-1b7285aff15f", "datePublished": "2026-04-06T15:33:56.950Z", "assignerShortName": "qualcomm"}, "dataVersion": "5.2"}

{"affected": [{"configurations": [{"platform": ["snapdragon_compute", "snapdragon_industrial_iot"], "status": "affected", "versions": {"scheme": "generic", "value": "Cologne"}}, {"platform": ["snapdragon_compute", "snapdragon_industrial_iot"], "status": "affected", "versions": {"scheme": "generic", "value": "FastConnect 6900"}}, {"platform": ["snapdragon_compute", "snapdragon_industrial_iot"], "status": "affected", "versions": {"scheme": "generic", "value": "FastConnect 7800"}}, {"platform": ["snapdragon_compute", "snapdragon_industrial_iot"], "status": "affected", "versions": {"scheme": "generic", "value": "QCA0000"}}, {"platform": ["snapdragon_compute", "snapdragon_industrial_iot"], "status": "affected", "versions": {"scheme": "generic", "value": "SC8380XP"}}, {"platform": ["snapdragon_compute", "snapdragon_industrial_iot"], "status": "affected", "versions": {"scheme": "generic", "value": "WCD9378C"}}, {"platform": ["snapdragon_compute", "snapdragon_industrial_iot"], "status": "affected", "versions": {"scheme": "generic", "value": "WCD9380"}}, {"platform": ["snapdragon_compute", "snapdragon_industrial_iot"], "status": "affected", "versions": {"scheme": "generic", "value": "WCD9385"}}, {"platform": ["snapdragon_compute", "snapdragon_industrial_iot"], "status": "affected", "versions": {"scheme": "generic", "value": "WSA8840"}}, {"platform": ["snapdragon_compute", "snapdragon_industrial_iot"], "status": "affected", "versions": {"scheme": "generic", "value": "WSA8845"}}, {"platform": ["snapdragon_compute", "snapdragon_industrial_iot"], "status": "affected", "versions": {"scheme": "generic", "value": "WSA8845H"}}, {"platform": ["snapdragon_compute", "snapdragon_industrial_iot"], "status": "affected", "versions": {"scheme": "generic", "value": "X2000077"}}, {"platform": ["snapdragon_compute", "snapdragon_industrial_iot"], "status": "affected", "versions": {"scheme": "generic", "value": "X2000086"}}, {"platform": ["snapdragon_compute", "snapdragon_industrial_iot"], "status": "affected", "versions": {"scheme": "generic", "value": "X2000090"}}, {"platform": ["snapdragon_compute", "snapdragon_industrial_iot"], "status": "affected", "versions": {"scheme": "generic", "value": "X2000092"}}, {"platform": ["snapdragon_compute", "snapdragon_industrial_iot"], "status": "affected", "versions": {"scheme": "generic", "value": "X2000094"}}, {"platform": ["snapdragon_compute", "snapdragon_industrial_iot"], "status": "affected", "versions": {"scheme": "generic", "value": "XG101002"}}, {"platform": ["snapdragon_compute", "snapdragon_industrial_iot"], "status": "affected", "versions": {"scheme": "generic", "value": "XG101032"}}, {"platform": ["snapdragon_compute", "snapdragon_industrial_iot"], "status": "affected", "versions": {"scheme": "generic", "value": "XG101039"}}], "enrichment": {"confidence": 86.0, "confidence_source": "matching", "scores": [{"score": 86.0, "source": "matching"}]}, "original": {"product": "Snapdragon", "source": "cna", "vendor": "Qualcomm, Inc."}, "product": "snapdragon", "vendor": "qualcomm"}], "analysis": {"en": {"generated_at": "2026-04-06T19:51:20.545909+00:00", "value": {"mitigation_remediation": ["Apply the latest firmware patch for the Power Management IC as specified in Qualcomm\u2019s April\u202f2026 security bulletin.", "If a patch is not yet available, restrict the use of power\u2011management APIs to trusted code paths and avoid passing untrusted input data.", "Monitor system logs and performance for abnormal memory usage or crashes related to power\u2011management operations.", "Contact Qualcomm support for guidance if the vulnerability remains unpatched or to confirm patch status."], "summary": {"action": "Patch Immediately", "impact": "Potential Arbitrary Code Execution"}, "threat_synthesis": {"affected_systems": "Qualcomm Snapdragon devices that use the affected Power Management IC firmware are impacted. The security bulletin does not list specific models or firmware revisions, so any Snapdragon device whose firmware processes power\u2011management requests with the vulnerable code could be at risk.", "description_and_impact": "This vulnerability arises from a buffer copy within the Power Management IC that does not validate the size of input or output buffers. The flaw can lead to memory corruption, enabling an attacker to overwrite adjacent memory and potentially execute arbitrary code or cause a denial of service. It is categorized as a classic buffer overflow under CWE-120.", "risk_and_exploitability": "The CVSS score of 7.8 indicates high severity, yet EPSS data is unavailable and the vulnerability is not listed in the CISA KEV catalog, implying no known widespread exploitation. Based on the description, it is inferred that the attack requires manipulating power\u2011management inputs, which likely demands local or privileged access to the device. The absence of publicly available exploits does not reduce the risk, as the high severity and memory corruption nature maintain a significant threat."}}}}, "created": "2026-04-06T20:13:56.977550+00:00", "updated": "2026-04-06T21:31:55.336625+00:00", "vendors": ["qualcomm", "qualcomm$PRODUCT$snapdragon"]}