Memory corruption in Qualcomm Strongbox due to missing bounds check

Successful exploitation can cause memory corruption in the affected Strongbox component. Based on the provided CVSS v3.1 vector (AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H), the vulnerability can have high impact on confidentiality, integrity, and availability, with changed scope. In practical terms, exploitation could enable compromise of the affected component, including potential access to sensitive data, unauthorized modification of data or execution state, and denial of service through crashes or instability. The exact post-exploitation behavior is not further specified in the provided content.

If the patch cannot be applied immediately, reduce exposure by limiting local access to the device, restricting untrusted code execution, and minimizing the ability of low-privileged local actors to interact with the affected component. Prioritize installation of OEM security updates carrying the 2026-06-05 Android security patch level or later. Because the issue affects a closed-source Qualcomm component, no specific configuration workaround is provided in the available content.

Apply the Qualcomm-provided fix referenced in the June 2026 Qualcomm security bulletin and deploy Android security updates that include the relevant vendor patch. The provided content indicates this issue is addressed in Google’s June 2026 Android security release, specifically in the 2026-06-05 security patch level that includes Qualcomm closed-source component fixes. Use vendor/OEM firmware incorporating the patched Qualcomm binaries.