The vulnerability CVE-2026-25262 affects the BootROM of Qualcomm chips including MDM9x07, MDM9x45, MDM9x65, MSM8909, MSM8916, MSM8952, and SDX50 series. It resides in the Sahara protocol used in Emergency Download Mode, which runs before the OS and security controls. The flaw is a CWE-123 write-what-where condition in the verification logic of file chunks uploaded via USB, enabling an attacker with physical access to write arbitrary data to arbitrary memory addresses. This compromises the chain of trust starting at BootROM, allowing execution of malicious code before the OS loads. The vulnerability cannot be patched on existing devices due to the immutable nature of BootROM. Qualcomm confirmed the issue, assigned CVE-2026-25262, and included it in their May 2026 security bulletin. They will fix the design in future chips but existing devices remain vulnerable. Physical access is required for exploitation, such as during third-party repairs or device inspection. The malicious code does not appear to persist in non-volatile memory and can be removed by fully powering off the device. Users are advised to maintain strict physical control, use authorized repair centers, and keep firmware updated to mitigate related risks.

Exploitation requires physical access to the device via USB. An attacker can write arbitrary data to any memory address in the device's BootROM context, compromising the secure boot chain. This allows unauthorized access to sensitive data (passwords, files, contacts, geolocation) and potentially full device control including hardware sensors. The vulnerability affects a wide range of Qualcomm chips used in smartphones, IoT devices, automotive control units, and industrial equipment. Because the BootROM is immutable, existing devices cannot be patched to fix this flaw. The malicious code does not appear to persist after a full power cycle, reducing long-term persistence risk. No known exploits in the wild have been reported to date.

There is no patch available for existing devices due to the immutable BootROM. Qualcomm plans to fix the vulnerability in future chip designs. Users should enforce strict physical control over devices, avoid leaving them unattended especially during travel or repairs, and only use authorized service centers. Regular firmware updates should be applied to mitigate other vulnerabilities, though they do not fix this BootROM issue. Using security software such as Kaspersky for Android can help protect against other threats that might compound this vulnerability. If suspicious device behavior is observed (overheating, unusual network traffic, strange app activity), a full power cycle (removing or draining the battery) can remove the malicious code. Users should monitor official Qualcomm advisories for updates.