Skip to main content

CVE-2022-25662: Untrusted Pointer Dereference in Video in Qualcomm, Inc. Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Wearables

Medium
VulnerabilityCVE-2022-25662cvecve-2022-25662
Published: Wed Oct 12 2022 (10/12/2022, 00:00:00 UTC)
Source: CVE
Vendor/Project: Qualcomm, Inc.
Product: Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Wearables

Description

Information disclosure due to untrusted pointer dereference in kernel in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Wearables

AI-Powered Analysis

AILast updated: 07/04/2025, 19:25:05 UTC

Technical Analysis

CVE-2022-25662 is a medium-severity vulnerability affecting a broad range of Qualcomm Snapdragon platforms, including Snapdragon Auto, Compute, Connectivity, Consumer IoT, Industrial IoT, Mobile, and Wearables. The vulnerability arises from an untrusted pointer dereference in the video component of the kernel. Specifically, this is a type of memory corruption issue classified under CWE-119, which involves improper handling of pointers that can lead to information disclosure. An untrusted pointer dereference means that the kernel processes a pointer that could be controlled or influenced by an attacker, potentially causing the kernel to read from unintended memory locations. This can result in leakage of sensitive information from kernel memory to an unprivileged user or process. The vulnerability has a CVSS 3.1 base score of 5.3, indicating a medium severity level. The vector string (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) shows that the attack can be executed remotely over the network without privileges or user interaction, and the impact is limited to confidentiality (information disclosure) without affecting integrity or availability. The affected versions include a wide range of Qualcomm chipsets and modules, such as APQ8096AU, MSM8996AU, various QCA and WCN series chips, and multiple Snapdragon SoCs including SD 8 Gen1 5G, SD710, SD888, SD865 5G, and others. No known exploits are reported in the wild, and no patches are linked in the provided data, suggesting that mitigation may require vendor updates or firmware upgrades. The vulnerability is particularly relevant to devices running Qualcomm Snapdragon chips that handle video processing in the kernel, which could be smartphones, automotive systems, IoT devices, or wearables. Exploitation could allow attackers to gain unauthorized access to sensitive kernel memory, potentially exposing cryptographic keys, user data, or other confidential information stored in kernel space. Given the wide range of affected products, the vulnerability has a broad attack surface across multiple device categories.

Potential Impact

For European organizations, the impact of CVE-2022-25662 depends on the deployment of affected Qualcomm Snapdragon-based devices within their infrastructure. Enterprises using mobile devices, IoT sensors, automotive systems, or industrial equipment powered by these chipsets could face risks of sensitive information leakage. In sectors such as automotive manufacturing, critical infrastructure, telecommunications, and consumer electronics, unauthorized disclosure of kernel memory data could lead to exposure of credentials, encryption keys, or proprietary information. This could facilitate further attacks such as privilege escalation or lateral movement within networks. The vulnerability's network attack vector and lack of required privileges or user interaction increase the risk of remote exploitation, especially in connected environments. However, the absence of known exploits in the wild and the medium severity rating suggest that immediate widespread impact is limited but should not be underestimated. Organizations relying on devices with these Qualcomm chipsets should assess their exposure, particularly in high-security environments or where sensitive data is processed. The automotive sector in Europe, which increasingly integrates connected and autonomous vehicle technologies using Snapdragon Auto platforms, is notably at risk. Similarly, industrial IoT deployments in manufacturing and energy sectors could be vulnerable, potentially affecting operational technology (OT) systems.

Mitigation Recommendations

To mitigate CVE-2022-25662 effectively, European organizations should: 1) Inventory all devices and systems using affected Qualcomm Snapdragon chipsets, including mobile devices, IoT endpoints, automotive systems, and wearables. 2) Monitor vendor advisories from Qualcomm and device manufacturers for patches or firmware updates addressing this vulnerability and apply them promptly once available. 3) Where patches are not yet available, consider network segmentation and strict access controls to limit exposure of vulnerable devices to untrusted networks. 4) Employ runtime protection and kernel integrity monitoring on affected devices where feasible to detect anomalous behavior indicative of exploitation attempts. 5) For automotive and industrial IoT deployments, implement defense-in-depth strategies including secure boot, hardware-based security modules, and encrypted communications to reduce the risk of information leakage. 6) Conduct regular vulnerability assessments and penetration testing focusing on network-exposed devices with Qualcomm chipsets to identify potential exploitation paths. 7) Educate security teams about the nature of untrusted pointer dereference vulnerabilities and the importance of timely patch management in embedded and mobile environments. These steps go beyond generic advice by emphasizing asset identification, vendor coordination, network controls, and specialized protections tailored to the diverse environments where Snapdragon platforms are deployed.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
qualcomm
Date Reserved
2022-02-22T00:00:00.000Z
Cisa Enriched
true
Cvss Version
3.1
State
PUBLISHED

Threat ID: 682cd0fa1484d88663aec44b

Added to database: 5/20/2025, 6:59:06 PM

Last enriched: 7/4/2025, 7:25:05 PM

Last updated: 8/15/2025, 3:20:58 AM

Views: 22

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats