Kaspersky has uncovered a hardware-level flaw in Qualcomm Snapdragon chipsets that could let an attacker with a few minutes of physical access take over a device completely. Presented at Black Hat Asia 2026, the vulnerability sits in the BootROM, the most fundamental firmware layer on the chip, which makes it both serious and hard to fix.

The reason this one stings is where it lives. Most security flaws are in software you can patch. A BootROM flaw is baked into the silicon, so it cannot simply be patched away, and it sits below the operating system where normal security tools cannot see it. The vulnerability has been assigned CVE-2026-25262.

What an attacker could do

Kaspersky ICS CERT traced the issue to the Sahara protocol, the low-level system a Qualcomm chip uses when it enters Emergency Download Mode for repairs or recovery. A flaw in that process lets an attacker with physical access bypass the chip's security protections, break the secure boot chain and, in some cases, plant malicious apps or backdoors on the chip's application processor.

On a phone or tablet that means the attacker can capture entered passwords, then reach files, contacts, location and even the camera and microphone. The affected parts span the Qualcomm MDM9x07, MDM9x45, MDM9x65, MSM8909, MSM8916, MSM8952 and SDX50 series, with other Qualcomm chips possibly at risk. It was reported to Qualcomm in March 2025 and acknowledged that April.

Why physical access still matters

It is tempting to dismiss any attack that needs to touch the device, but that misses the real exposure. Kaspersky warns the risk extends to the supply chain and to everyday moments like sending a phone for repair or leaving it unattended. A few minutes is enough, so a device that left your hands cannot be assumed clean.

The advice is uncomfortable but worth repeating. Kaspersky's Sergey Anufrienko notes that a reboot may not help, because a compromised system can fake a restart without actually resetting. Only a full loss of power, including battery depletion, guarantees a clean restart. The practical takeaways are simple: keep tight physical control of your devices, and be cautious about who handles them during repair or resale.

This piece covers a cybersecurity research finding. It describes the risk and Kaspersky's recommended precautions, not any method of exploitation.