Skip to main content

CVE-2022-25664: Information Exposure in Graphics Linux in Qualcomm, Inc. Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Wearables

Medium
VulnerabilityCVE-2022-25664cvecve-2022-25664
Published: Wed Oct 12 2022 (10/12/2022, 00:00:00 UTC)
Source: CVE
Vendor/Project: Qualcomm, Inc.
Product: Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Wearables

Description

Information disclosure due to exposure of information while GPU reads the data in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Wearables

AI-Powered Analysis

AILast updated: 07/04/2025, 19:25:32 UTC

Technical Analysis

CVE-2022-25664 is an information disclosure vulnerability affecting a wide range of Qualcomm Snapdragon platforms, including Snapdragon Auto, Compute, Connectivity, Consumer IoT, Industrial IoT, Mobile, and Wearables. The vulnerability arises from improper handling of data during GPU read operations within the Linux graphics subsystem on these Snapdragon chipsets. Specifically, sensitive information can be exposed when the GPU reads data, potentially leaking confidential information to unauthorized processes or users. The affected Snapdragon versions span numerous chipsets used in various device categories, from mobile phones and wearables to automotive and industrial IoT devices. The vulnerability is classified under CWE-459 (Incomplete Cleanup), indicating that sensitive data remnants are not properly cleared or protected during processing. The CVSS v3.1 base score is 6.2 (medium severity), with the vector indicating local attack vector (AV:L), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), unchanged scope (S:U), high confidentiality impact (C:H), no integrity impact (I:N), and no availability impact (A:N). This means an attacker with local access to the device could exploit this flaw without needing privileges or user interaction to gain access to sensitive information. There are no known exploits in the wild as of the publication date (October 12, 2022), and no official patches are linked in the provided data, suggesting that mitigation may require vendor updates or workarounds. Given the broad range of affected chipsets, this vulnerability potentially impacts a large ecosystem of devices that rely on Qualcomm Snapdragon processors, including smartphones, automotive systems, and IoT devices running Linux-based graphics stacks. The exposure of sensitive data could lead to privacy breaches, leakage of cryptographic keys, or other confidential information depending on the data processed by the GPU.

Potential Impact

For European organizations, the impact of CVE-2022-25664 could be significant, especially for those relying on devices powered by affected Qualcomm Snapdragon chipsets. This includes enterprises using mobile devices, automotive manufacturers deploying Snapdragon Auto platforms, and industries utilizing IoT devices for critical infrastructure or consumer services. The confidentiality breach could expose sensitive corporate data, user credentials, or cryptographic material, potentially facilitating further attacks or espionage. In automotive contexts, information leakage could undermine vehicle security or privacy, affecting connected car systems prevalent in Europe’s automotive sector. Industrial IoT deployments in manufacturing or energy sectors could also be at risk, potentially exposing operational data or intellectual property. The medium severity rating reflects that while the vulnerability does not directly impact system integrity or availability, the confidentiality impact is high, which can have downstream effects on trust and compliance with data protection regulations such as GDPR. The requirement for local access limits remote exploitation but does not eliminate risk, as compromised or insider devices could be leveraged to exploit this flaw. Given the widespread use of Snapdragon chipsets in consumer and industrial devices across Europe, the vulnerability poses a broad attack surface that could be targeted by threat actors aiming to extract sensitive information from endpoints or embedded systems.

Mitigation Recommendations

To mitigate CVE-2022-25664 effectively, European organizations should: 1) Inventory and identify all devices using affected Qualcomm Snapdragon chipsets, including mobile, automotive, and IoT devices. 2) Monitor Qualcomm and device vendors for official patches or firmware updates addressing this vulnerability and prioritize timely deployment once available. 3) Restrict local access to devices, enforcing strict physical and logical access controls to minimize the risk of local exploitation. 4) Employ endpoint detection and response (EDR) solutions capable of monitoring unusual GPU or graphics subsystem activity that could indicate exploitation attempts. 5) For automotive and industrial IoT systems, implement network segmentation and device isolation to limit lateral movement from potentially compromised devices. 6) Where possible, disable or limit GPU access for untrusted applications or users to reduce the attack surface. 7) Engage with device manufacturers to confirm vulnerability status and request security updates or mitigations if not yet provided. 8) Incorporate this vulnerability into risk assessments and incident response plans, preparing for potential information leakage scenarios. These steps go beyond generic advice by focusing on device-specific inventory, access control, monitoring GPU-related activities, and proactive vendor engagement, which are critical given the local access requirement and the diversity of affected platforms.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
qualcomm
Date Reserved
2022-02-22T00:00:00.000Z
Cisa Enriched
true
Cvss Version
3.1
State
PUBLISHED

Threat ID: 682cd0fa1484d88663aec44f

Added to database: 5/20/2025, 6:59:06 PM

Last enriched: 7/4/2025, 7:25:32 PM

Last updated: 8/15/2025, 11:10:46 AM

Views: 15

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats