The vulnerability arises from a use‑after‑free condition in Qualcomm’s DSP service when deprecated DMABUF IOCTL calls are used to manage video memory. This memory corruption can allow an attacker to corrupt control data or read/write arbitrary memory, which could lead to execution of arbitrary code or disruption of system operation. The weakness is identified as CWE‑416, a classic use‑after‑free flaw that undermines memory safety.

The flaw affects a broad range of Qualcomm Snapdragon platforms and associated firmware, including Snapdragon Ar1 Gen 1, FastConnect 6900, FastConnect 7800, QCA0000, SC8380XP, WCD9378C, WCD9380, WCD9385, WSA8830, WSA8832, WSA8835, WSA8840, WSA8845, WSA8845 H, X2000077, X2000086, X2000090, X2000092, X2000094, XG101002, XG101032, and XG101039. Specific affected firmware versions are not listed in the advisory, so all current releases of these products should be considered vulnerable until a patch is applied.

The CVSS score of 7.8 indicates a high severity vulnerability, and the EPSS score of less than 1 % suggests a low probability of current exploitation. The flaw is not included in the CISA Known Exploited Vulnerabilities list, which reduces the immediate threat level. The attack vector is inferred to be local, requiring access to the DSP service via the deprecated DMABUF IOCTLs; however, if the device exposes these calls to external processes, remote exploitation could be possible. Due to the use‑after‑free nature, a successful exploitation could provide an attacker with privileged code execution or denial of service on the device.