Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…

CVE-2026-25262 Write-What-Where in Qualcomm Sahara confirmed on Snapdragon 8 Gen 1 (SM8450) – partial Firehose auth bypass

0
High
VulnerabilityCVE-2026-25262cybersecurityreddithigh-prioritycve-
Published: 07/08/2026 (07/08/2026, 13:33:30 UTC)
Source: Reddit Cybersecurity

Description

CVE-2026-25262 is a write-what-where vulnerability in the Qualcomm Sahara protocol confirmed experimentally on the Snapdragon 8 Gen 1 (SM8450) platform. The vulnerability allows arbitrary writes to SRAM during the Sahara handshake, bypassing signature verification and partially bypassing Firehose loader authorization. While the loader executes and responds to commands without authorization errors, full UFS storage access has not yet been achieved. The vulnerability was previously known to affect only legacy 32-bit Qualcomm platforms, but this research extends its applicability to modern 64-bit ARMv9 SoCs. Further investigation is ongoing to achieve full Firehose initialization and understand TrustZone dependencies. No official patch or remediation guidance is currently available.

Reddit Discussion

r/cybersecurity·posted by u/Asleep_Building_6669
00

I’d like to share the results of an experimental research note on the applicability of CVE-2026-25262 (Kaspersky ICS CERT, May 2026) to a modern 64-bit ARMv9 Qualcomm platform.

**Device:** POCO F4 GT (ingres) / Snapdragon 8 Gen 1 (SM8450, Waipio).

**What was done:**

- Static analysis of the engineering Firehose loader (`xbl_s_devprg_ns.melf`) in Ghidra identified the authorization state structure at `0x6B9CD500` (critical field `0x6B9CD538`).

- A modified Sahara client (`cve_final_single`, based on B. Kerler's edl) was created to exploit the CVE and deliver the loader to an arbitrary SRAM address (`0x2211C000`) *without* signature verification.

- An additional `SAHARA_CMD_RECV_DATA` packet injected the value `5` into the `is_authenticated` field before control was transferred to Firehose.

**Result (partial success):**

- Arbitrary write to SRAM via CVE-2026-25262 is **confirmed working** on SM8450.

- The loader executes and responds to commands (`nop` succeeds), no authorization error is observed.

- Full UFS access is **not yet achieved**; `getstorageinfo` and `read` return empty responses. Two hypotheses are being investigated: (1) loading only the LOAD segments without ELF/certificate overlay, and (2) potential TrustZone/SMC dependencies.

**Why this might be interesting:**

The official Qualcomm list for CVE-2026-25262 includes only 32-bit legacy platforms. This experiment suggests that the vulnerable code path in the Boot ROM is also present on the latest flagship SoCs, widening the scope of the vulnerability.

Full article, logs, PBL status codes, and static analysis notes are available in the repository:

https://github.com/shurikgo/cve-2026-25262-sm8450-research

No full exploit code is provided; the published material is sufficient for independent verification and further research.

*This work is shared for educational and research purposes only.*

AI-Powered Analysis

Machine-generated threat intelligence

AILast updated: 07/09/2026, 01:13:30 UTC

Technical Analysis

This vulnerability, CVE-2026-25262, involves a write-what-where condition in the Qualcomm Sahara protocol used during device boot and programming. Experimental research confirmed that on the Snapdragon 8 Gen 1 (SM8450) platform, an attacker can inject a value into the Firehose loader's authorization state structure in SRAM, bypassing signature verification and partially bypassing authentication. The Firehose loader executes and responds to basic commands without authorization errors, but full access to UFS storage is not yet achieved, likely due to incomplete loader initialization or TrustZone/SMC call dependencies. This expands the known affected platforms beyond the official list limited to 32-bit legacy chipsets. The research is documented with static analysis, logs, and experimental tools but does not include full exploit code. The vulnerability remains under active investigation with no confirmed patch or fix.

Potential Impact

The vulnerability enables an attacker with access to the Sahara protocol interface to perform arbitrary writes to SRAM, bypassing signature verification and partially bypassing Firehose loader authorization on Snapdragon 8 Gen 1 devices. This could allow unauthorized code execution in the loader context. However, full access to the device's UFS storage has not been demonstrated, indicating incomplete exploitation. The expanded affected platform scope increases the potential attack surface to modern Qualcomm flagship SoCs. No known exploits in the wild have been reported.

Mitigation Recommendations

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. No official fix or patch has been published for this vulnerability on Snapdragon 8 Gen 1 platforms. Until a vendor fix is available, mitigation options are limited. Monitor official Qualcomm security advisories for updates. The research is ongoing, and further analysis may clarify additional mitigation steps.

Pro Console: star threats, build custom feeds, automate alerts via Slack, email & webhooks.Upgrade to Pro

Technical Details

Source Type
reddit
Subreddit
cybersecurity
Reddit Score
0
Discussion Level
minimal
Content Source
reddit_link_post
Post Type
link
Domain
null
Newsworthiness Assessment
{"score":53,"reasons":["external_link","newsworthy_keywords:cve-","security_identifier","established_author","recent_news"],"isNewsworthy":true,"foundNewsworthy":["cve-"],"foundNonNewsworthy":[]}
Has External Source
true
Trusted Domain
false

Threat ID: 6a4ef5a6c9d9e3dbe32a977a

Added to database: 07/09/2026, 01:13:10 UTC

Last enriched: 07/09/2026, 01:13:30 UTC

Last updated: 07/09/2026, 01:13:30 UTC

Views: 1

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses