Kaspersky flags Qualcomm chip vulnerability risk

Kaspersky ICS CERT said it discovered a hardware-level vulnerability in Qualcomm chipsets that could allow attackers with physical access to affected devices to steal data, compromise sensors, install backdoors, or, in some cases, take full control of a device.

The cybersecurity firm said the flaw affects Qualcomm chipsets used in smartphones, tablets, car components, internet of things devices, and other consumer and industrial equipment.

The vulnerability resides in the BootROM, firmware embedded at the hardware level that runs before the device operating system starts.

Kaspersky presented the findings at Black Hat Asia 2026.

The flaw affects Qualcomm MDM9x07, MDM9x45, MDM9x65, MSM8909, MSM8916, MSM8952, and SDX50 series chipsets, according to Kaspersky’s advisory. Other Qualcomm-based chips may also be affected.

Kaspersky said it reported the vulnerability to Qualcomm in March 2025, while Qualcomm formally acknowledged it in April 2025.

The vulnerability has been assigned the identifier CVE-2026-25262.

Kaspersky researchers examined the Sahara protocol, a low-level communication system used when a Qualcomm chip enters Emergency Download Mode, or EDL.

EDL is a special recovery mode used to repair or restore smartphones and other devices.

Sahara acts as the first step that allows a computer to connect to the device and load software before the device operating system starts.

Kaspersky said a security flaw in that process could allow an attacker with physical access to bypass key security protections, compromise the secure boot chain, and, in some cases, deploy malicious applications and backdoors to the chip’s Application Processor.

The company said the compromise could fully affect the device in some attack scenarios.

For smartphones and tablets, Kaspersky said attackers could potentially access entered user passwords, files, contacts, location data, and device sensors such as the camera and microphone.

Kaspersky said a potential attacker would need only a few minutes of physical access to a vulnerable device to compromise it.

The company warned that devices sent for repair or left unattended for a short period could no longer be assumed to be uncompromised.

Researchers also said the risk extends beyond individual users and includes possible compromise during the supply chain phase.

“Vulnerabilities like this may allow attackers to deploy malware that is difficult to detect and remove. In practice, this could enable covert data collection or influence device behavior over extended periods of time. While a reboot might seem like an effective way to remove such malware, it cannot always be relied upon: compromised systems may simulate a reboot without actually resetting. In such cases, only a complete loss of power – including battery depletion – guarantees a clean restart,” Sergey Anufrienko, security expert at Kaspersky ICS CERT, said.

Kaspersky advised organizations and individual users to maintain strict physical security controls over devices, including during supply, maintenance, and decommissioning.

The company said rebooting a device by cutting off power to the affected chip, if available, or fully discharging the battery may help remove malware if it has been installed.

Kaspersky ICS CERT said the issue is classified as a CWE-123 “write-what-where” condition vulnerability that could allow an attacker with physical access to bypass the secure boot chain and execute arbitrary code with maximum privileges.