CVE-2022-25710: Dereferencing a pointer that is already freed in Qualcomm, Inc. Snapdragon Auto, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music
Denial of service due to null pointer dereference when GATT is disconnected in Snapdragon Auto, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music
AI Analysis
Technical Summary
CVE-2022-25710 is a medium-severity vulnerability affecting multiple Qualcomm Snapdragon platforms, including Snapdragon Auto, Consumer IoT, Industrial IoT, Mobile, and Voice & Music product lines. The root cause is a null pointer dereference triggered when the Generic Attribute Profile (GATT) connection is disconnected. Specifically, the vulnerability arises from dereferencing a pointer that has already been freed, leading to a denial of service (DoS) condition. This flaw is categorized under CWE-476 (NULL Pointer Dereference). The affected Snapdragon chipsets and modules span a broad range of Qualcomm’s wireless and connectivity solutions, including APQ, MDM, MSM, QCA, WCD, WCN, and WSA series components. These components are widely integrated into smartphones, automotive infotainment systems, industrial IoT devices, consumer IoT gadgets, and voice/music-enabled devices. The vulnerability does not require authentication or user interaction to be triggered, as it occurs during the GATT disconnection process, which is part of Bluetooth Low Energy (BLE) communications. No known exploits have been reported in the wild, and Qualcomm has not yet published patches for this issue. The vulnerability could be exploited remotely via Bluetooth connections, potentially causing affected devices to crash or become unresponsive, impacting availability. Given the broad deployment of Snapdragon chipsets in consumer and industrial devices, this vulnerability poses a risk to device stability and reliability.
Potential Impact
For European organizations, the impact of CVE-2022-25710 can be significant, especially for sectors relying heavily on Qualcomm Snapdragon-based devices. Telecommunications providers, automotive manufacturers, industrial automation companies, and consumer electronics firms could experience service disruptions due to device crashes caused by this vulnerability. In automotive contexts, affected infotainment or telematics systems could become unresponsive, potentially impacting driver experience or safety-related communications. Industrial IoT deployments may face operational interruptions, affecting manufacturing or critical infrastructure monitoring. The denial of service condition could also degrade user trust and operational continuity in consumer devices such as smartphones and wearable technology. Although no data confidentiality or integrity compromise is indicated, the availability impact alone could disrupt business processes and service delivery. The lack of known exploits reduces immediate risk, but the widespread presence of affected chipsets in European markets means that targeted attacks could emerge, particularly in high-value sectors. Organizations with large fleets of Snapdragon-based devices should be aware of potential downtime and plan accordingly.
Mitigation Recommendations
To mitigate CVE-2022-25710, European organizations should: 1) Inventory and identify all devices using affected Qualcomm Snapdragon chipsets across their environments, including mobile devices, automotive systems, and IoT endpoints. 2) Engage with device manufacturers and Qualcomm to obtain firmware or software updates addressing this vulnerability as soon as patches become available. 3) Implement network-level controls to restrict Bluetooth connectivity to trusted devices only, reducing exposure to unauthorized connection attempts that could trigger the vulnerability. 4) Monitor device logs and system behavior for signs of unexpected crashes or Bluetooth disconnections that could indicate exploitation attempts. 5) For critical systems, consider deploying layered redundancy or failover mechanisms to maintain availability in case of device failure. 6) Educate IT and security teams about the vulnerability’s characteristics to improve incident detection and response. 7) Where possible, disable or limit Bluetooth functionality on devices that do not require it, minimizing attack surface. 8) Collaborate with supply chain partners to ensure that devices procured are patched or not affected. These steps go beyond generic advice by focusing on device-specific inventory, proactive vendor engagement, and operational controls tailored to the Bluetooth-based nature of the vulnerability.
Affected Countries
Germany, France, United Kingdom, Italy, Spain, Netherlands, Sweden, Belgium, Poland, Finland
CVE-2022-25710: Dereferencing a pointer that is already freed in Qualcomm, Inc. Snapdragon Auto, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music
Description
Denial of service due to null pointer dereference when GATT is disconnected in Snapdragon Auto, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music
AI-Powered Analysis
Technical Analysis
CVE-2022-25710 is a medium-severity vulnerability affecting multiple Qualcomm Snapdragon platforms, including Snapdragon Auto, Consumer IoT, Industrial IoT, Mobile, and Voice & Music product lines. The root cause is a null pointer dereference triggered when the Generic Attribute Profile (GATT) connection is disconnected. Specifically, the vulnerability arises from dereferencing a pointer that has already been freed, leading to a denial of service (DoS) condition. This flaw is categorized under CWE-476 (NULL Pointer Dereference). The affected Snapdragon chipsets and modules span a broad range of Qualcomm’s wireless and connectivity solutions, including APQ, MDM, MSM, QCA, WCD, WCN, and WSA series components. These components are widely integrated into smartphones, automotive infotainment systems, industrial IoT devices, consumer IoT gadgets, and voice/music-enabled devices. The vulnerability does not require authentication or user interaction to be triggered, as it occurs during the GATT disconnection process, which is part of Bluetooth Low Energy (BLE) communications. No known exploits have been reported in the wild, and Qualcomm has not yet published patches for this issue. The vulnerability could be exploited remotely via Bluetooth connections, potentially causing affected devices to crash or become unresponsive, impacting availability. Given the broad deployment of Snapdragon chipsets in consumer and industrial devices, this vulnerability poses a risk to device stability and reliability.
Potential Impact
For European organizations, the impact of CVE-2022-25710 can be significant, especially for sectors relying heavily on Qualcomm Snapdragon-based devices. Telecommunications providers, automotive manufacturers, industrial automation companies, and consumer electronics firms could experience service disruptions due to device crashes caused by this vulnerability. In automotive contexts, affected infotainment or telematics systems could become unresponsive, potentially impacting driver experience or safety-related communications. Industrial IoT deployments may face operational interruptions, affecting manufacturing or critical infrastructure monitoring. The denial of service condition could also degrade user trust and operational continuity in consumer devices such as smartphones and wearable technology. Although no data confidentiality or integrity compromise is indicated, the availability impact alone could disrupt business processes and service delivery. The lack of known exploits reduces immediate risk, but the widespread presence of affected chipsets in European markets means that targeted attacks could emerge, particularly in high-value sectors. Organizations with large fleets of Snapdragon-based devices should be aware of potential downtime and plan accordingly.
Mitigation Recommendations
To mitigate CVE-2022-25710, European organizations should: 1) Inventory and identify all devices using affected Qualcomm Snapdragon chipsets across their environments, including mobile devices, automotive systems, and IoT endpoints. 2) Engage with device manufacturers and Qualcomm to obtain firmware or software updates addressing this vulnerability as soon as patches become available. 3) Implement network-level controls to restrict Bluetooth connectivity to trusted devices only, reducing exposure to unauthorized connection attempts that could trigger the vulnerability. 4) Monitor device logs and system behavior for signs of unexpected crashes or Bluetooth disconnections that could indicate exploitation attempts. 5) For critical systems, consider deploying layered redundancy or failover mechanisms to maintain availability in case of device failure. 6) Educate IT and security teams about the vulnerability’s characteristics to improve incident detection and response. 7) Where possible, disable or limit Bluetooth functionality on devices that do not require it, minimizing attack surface. 8) Collaborate with supply chain partners to ensure that devices procured are patched or not affected. These steps go beyond generic advice by focusing on device-specific inventory, proactive vendor engagement, and operational controls tailored to the Bluetooth-based nature of the vulnerability.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- qualcomm
- Date Reserved
- 2022-02-22T00:00:00.000Z
- Cisa Enriched
- true
Threat ID: 682d9849c4522896dcbf6fee
Added to database: 5/21/2025, 9:09:29 AM
Last enriched: 6/21/2025, 7:37:35 PM
Last updated: 7/26/2025, 11:59:00 AM
Views: 10
Related Threats
CVE-2025-43735: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Liferay Portal
MediumCVE-2025-40770: CWE-300: Channel Accessible by Non-Endpoint in Siemens SINEC Traffic Analyzer
HighCVE-2025-40769: CWE-1164: Irrelevant Code in Siemens SINEC Traffic Analyzer
HighCVE-2025-40768: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor in Siemens SINEC Traffic Analyzer
HighCVE-2025-40767: CWE-250: Execution with Unnecessary Privileges in Siemens SINEC Traffic Analyzer
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.