CVE-2022-25692 in Snapdragon Autoinfo

Summary

by MITRE • 12/13/2022

Denial of service in Modem due to reachable assertion while processing the common config procedure in Snapdragon Auto, Snapdragon Compute, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Wearables

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 05/07/2026

This vulnerability represents a critical denial of service condition affecting multiple Qualcomm Snapdragon product lines including automotive, mobile, compute, industrial IoT, and wearable devices. The flaw manifests during the common configuration procedure processing within the modem component, where a reachable assertion failure occurs that can be exploited to disrupt normal device operation. The vulnerability stems from insufficient input validation and error handling mechanisms within the modem's configuration processing logic, creating an exploitable path that allows attackers to trigger system instability through crafted configuration data.

The technical implementation of this vulnerability involves the modem's handling of configuration parameters during initialization or reconfiguration phases. When processing specific configuration procedures, the modem encounters a condition where an assertion check fails, leading to immediate system termination or reboot. This behavior aligns with CWE-617: Reachable Assertion, which describes situations where assertions can be triggered by external inputs, resulting in program termination or unexpected behavior. The assertion failure occurs in the modem firmware's configuration processing module, indicating weak defensive programming practices in handling potentially malicious or malformed configuration data.

From an operational perspective, this vulnerability poses significant risks to device availability and system reliability across various deployment scenarios. In automotive applications, such as those using Snapdragon Auto platforms, this could result in vehicle communication system failures or complete loss of connectivity during critical operations. For mobile and wearable devices, the impact translates to unexpected device reboots or complete system unresponsiveness, affecting user experience and potentially compromising device security. The vulnerability's reach across multiple product categories suggests a fundamental flaw in the modem firmware architecture that affects a broad spectrum of Qualcomm-powered devices.

The attack surface for this vulnerability encompasses any system utilizing Qualcomm Snapdragon modems that process configuration data through the affected procedure. This includes automotive telematics systems, mobile phones, IoT devices, and wearable technology where modem functionality is critical. The exploitability of this vulnerability is enhanced by the fact that it can be triggered through legitimate configuration procedures, making it particularly dangerous as it may not require special privileges or complex attack vectors. According to ATT&CK framework, this vulnerability maps to T1499.004: Endpoint Denial of Service, where adversaries can cause system instability through firmware-level manipulation.

Mitigation strategies should focus on firmware updates from device manufacturers, as the vulnerability resides in Qualcomm's modem components requiring coordinated patching across multiple device types. Organizations should implement robust configuration validation procedures and monitor for abnormal reboots or system instability patterns that may indicate exploitation attempts. Device manufacturers should also consider implementing additional runtime checks and error recovery mechanisms to prevent assertion failures from causing complete system disruption. Network-level monitoring can help detect anomalous configuration procedure patterns that may precede exploitation attempts, providing early warning capabilities for potential attacks targeting this vulnerability.

Responsible

Qualcomm, Inc.

Reservation

02/22/2022

Disclosure

12/13/2022

Moderation

accepted

CPE

ready

EPSS

0.00410

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!