Security researchers at Kaspersky say they uncovered a hardware-level issue in multiple Qualcomm Snapdragon chip families, and the company had already confirmed the flaw in April 2025. The vulnerability is being tracked as CVE-2026-25262 and was also discussed during Black Hat Asia 2026.
According to the report summarized by IT Home, the affected chip lines include MDM9x07, MSM9x45, MSM8916, and SDX50. Those platforms have been used across a wide range of products, not just phones, which is why the scope of this bug matters more than a normal handset-only security story.
The weakness reportedly sits inside BootROM firmware embedded at the hardware layer. Researchers say an attacker could use it to bypass core protections in the secure boot chain, plant a malicious backdoor, and ultimately gain deep control over a compromised device.
The attack path is tied to the Sahara protocol, a low-level communication mechanism used in emergency download mode before the operating system fully loads. Because that protocol works so early in the startup process, a flaw there can undermine safeguards that would normally stop unauthorized code from taking hold.
Kaspersky says the issue could let someone with physical access compromise the application processor and potentially steal passwords, files, contacts, and location data. The same access could also be used to turn on the camera or microphone for covert monitoring.
One especially troubling part of the report is how little equipment is supposedly needed. The researchers say the infection process can be completed in just a few minutes of physical access, which raises concerns not only for individual owners but also for repair channels, supply-chain handling, and any environment where devices temporarily leave a user’s control.
The broader warning is that this kind of BootROM vulnerability can be unusually hard to detect or remove once a system has been compromised. Researchers say an infected device may even mimic a normal reboot state, leaving a user with little sign that malicious code is still present unless power is fully cut or the battery is exhausted.
That makes this more than another routine patch-cycle headline. If the findings hold across the affected hardware lines, the issue highlights how low-level silicon security can ripple outward into smartphones, connected devices, and embedded systems that were never designed with easy post-compromise recovery in mind.
