A null pointer dereference occurs in the host operating system when it attempts to write to an invalid memory location during the secure data initialization phase. The failure is triggered by heap memory exhaustion, resulting in uncontrolled memory corruption that can lead to application crashes or system instability. The description does not explicitly state that arbitrary code execution is possible, but the unchecked memory writes could potentially corrupt critical data structures.

Qualcomm Snapdragon devices that run the host-level operating system (HLOS) are affected. Specific hardware models or firmware versions are not listed; users should consult the Qualcomm June 2026 security bulletin to determine whether their device is impacted.

The CVSS score of 7.8 indicates high severity, and the vulnerability is not present in the CISA KEV catalog. The exploitability data collected over time is not available, which makes it unclear how often the condition of heap exhaustion can be triggered in practice. The attack vector is not defined explicitly in the CVE, but the condition required for the flaw—heap exhaustion during secure data initialization—suggests that it may be exploitable from a local or privileged context. No public exploit or proof‑of‑concept is currently known, so the risk appears limited to devices that can deliberately induce the memory allocation scenario.