Description
Memory Corruption when handling flash commands due to outdated LED count values being used after userspace modification.
Published: 2026-07-06
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an out-of-bounds write in the Snapdragon camera driver that occurs when flash commands are processed. Outdated LED count values are used after a user‑space modification, allowing a memory corruption in the kernel. This flaw can overwrite adjacent memory, potentially compromising the integrity of the system or leading to arbitrary code execution if exploitable. The weakness is indexed as CWE‑787.

Affected Systems

The vulnerability affects Qualcomm Snapdragon platform camera drivers. No specific firmware or OS version is documented in the public advisory. The issue may impact any device that relies on the vendor’s camera driver for flash command handling, including smartphones, tablets, or embedded devices running Qualcomm Snapdragon hardware.

Risk and Exploitability

Risk and exploitability CVSS score is 5.3, indicating a moderate risk. The EPSS score is not available, and the vulnerability is not listed in CISA’s KEV catalog. Based on the description, the likely attack vector involves a local user or application that can send custom flash commands to the camera driver, which could consume the corrupted LED count data. The exploit would require the attacker to have privileges that allow interaction with the driver, making this flaw a candidate for local privilege escalation or, in an attacker‑controlled device, a potential gateway to remote code execution if the kernel is compromised. While no official solution or workaround is published, the flaw is accessible through the camera subsystem and might be mitigated by disabling or restricting camera access until a vendor patch is released.

Generated by OpenCVE AI on July 7, 2026 at 10:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check Qualcomm’s 2026 July security bulletin for an available driver patch or update, and apply any firmware or software update that addresses the out-of-bounds write.
  • If no update is available, disable the device’s camera hardware or use application‑level permission controls to limit camera usage to trusted processes only.
  • Implement monitoring of system logs for abnormal camera activity or kernel crashes, and investigate any incidents promptly for signs of exploitation.
  • Apply general kernel hardening measures such as enabling address space layout randomization (ASLR) and page‑fault protection to reduce the impact of any memory corruption.

Generated by OpenCVE AI on July 7, 2026 at 10:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 07 Jul 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Mon, 06 Jul 2026 21:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 06 Jul 2026 20:30:00 +0000

Type Values Removed Values Added
Description Memory Corruption when handling flash commands due to outdated LED count values being used after userspace modification.
Title Out-of-bounds Write in Camera Driver
Weaknesses CWE-787
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L'}


Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: qualcomm

Published:

Updated: 2026-07-07T13:10:43.683Z

Reserved: 2025-12-17T04:35:45.742Z

Link: CVE-2026-21369

cve-icon Vulnrichment

Updated: 2026-07-06T20:54:41.991Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-07T11:00:05Z

Weaknesses