On the Android system, finding new attack surfaces to achieve root privilege remains a hot topic among security researchers. In the past, the most commonly used rooting attack surfaces were Binder and GPU. Since OffensiveCon 2025, this novel rooting attack surface - the Qualcomm DSP Driver - has come into the eyes of the security community. We will share our research on the Qualcomm DSP driver. The vulnerabilities we found and the exploit on the latest device shows it’s still an important attack surface for rooting.
We will first deep dive into the Qualcomm DSP driver and then disclose the details about how to access the Qualcomm DSP driver from a zero-permission application.
We will provide an overview of the vulnerabilities we discovered, 7 issues in the first generation (prior to 2025) and 4 issues in the second generation (from May 2025) of the DSP driver. Our deep dive will focus on CVE-2025-47394, a severe vulnerability in the latest second-generation driver.
We will disclose the end-to-end exploit details for CVE-2025-47394, demonstrating how to achieve highly reliable root privilege escalation from a zero-permission userspace application on the latest Qualcomm devices. This includes triggering the memory corruption issue and all the advanced technical steps needed to bypass all modem Kernel mitigations (kALSR, kCFI, etc.) to gain arbitrary code execution.
We will conclude with a live demonstration and discussion on future hardening strategies.
Xiling Gong is a Security Researcher at Google on the Android Red Team, focusing on finding and exploiting vulnerabilities in the low-level components of the Android platform and Pixel devices.
