CVE-2019-14041

HIGH

Qualcomm Snapdragon Firmware - Buffer Overflow in Listener Modified Response Processing

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2019-14041. PoCs published by tamirzb.

AI-analyzed exploit summary This repository contains a functional proof-of-concept exploit for CVE-2019-14041, a race condition vulnerability in Qualcomm's qseecom driver. The exploit triggers a kernel panic on affected devices by manipulating ION memory allocations and exploiting a race condition in the QSEECOM_IOCTL_APP_LOADED_QUERY_REQ and QSEECOM_IOCTL_SEND_MODFD_RESP_64 ioctls.

Description

During listener modified response processing, a buffer overrun occurs due to lack of buffer size verification when updating message buffer with physical address information in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables in APQ8009, APQ8017, APQ8053, APQ8096AU, APQ8098, MDM9206, MDM9207C, MDM9607, MDM9640, MDM9650, MSM8905, MSM8909W, MSM8917, MSM8953, MSM8996AU, Nicobar, QCM2150, QCS405, QCS605, QM215, Rennell, SA6155P, Saipan, SC8180X, SDA660, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM632, SDM670, SDM710, SDM845, SDX20, SDX24, SDX55, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130

Exploits (1)

nomisec WORKING POC 13 stars

by tamirzb · poc

https://github.com/tamirzb/CVE-2019-14041

View Code ZIP pw:eip

This repository contains a functional proof-of-concept exploit for CVE-2019-14041, a race condition vulnerability in Qualcomm's qseecom driver. The exploit triggers a kernel panic on affected devices by manipulating ION memory allocations and exploiting a race condition in the QSEECOM_IOCTL_APP_LOADED_QUERY_REQ and QSEECOM_IOCTL_SEND_MODFD_RESP_64 ioctls.

Classification

Working Poc 95%

Attack Type

Dos

Complexity

Moderate

Reliability

Racy

Target: Qualcomm qseecom driver (affecting Android devices with Qualcomm chips)

No auth needed

Prerequisites: Access to /dev/qseecom device file · Android device with Qualcomm chipset

MITRE ATT&CK

T1499.004 - Application or System Exploitation

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (1)

Core 1

Core References

Patch, Vendor Advisory x_refsource_confirm

https://www.qualcomm.com/company/product-security/bulletins/february-2020-bulletin

Scores

CVSS v3 7.8

EPSS 0.0043

EPSS Percentile 34.2%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-120

Status published

Products (43)

qualcomm/apq8009_firmware

qualcomm/apq8017_firmware

qualcomm/apq8053_firmware

qualcomm/apq8096au_firmware

qualcomm/apq8098_firmware

qualcomm/md9607_firmware

qualcomm/mdm9206_firmware

qualcomm/mdm9207c_firmware

qualcomm/mdm9640_firmware

qualcomm/mdm9650_firmware

... and 33 more

Published Feb 07, 2020

Tracked Since Feb 18, 2026