CVE-2020-11260 [High] | Security Vulnerability in Apq8017 Firmware

CVE-2020-11260 is rated Low Risk (35.8/100): CVSS High severity, with low exploitation likelihood (EPSS 0.17%). Monitor for updates and reassess as exploit intelligence or EPSS changes.

#	Date	Old EPSS score	New EPSS score	Delta (New - Old)
1	2026-06-15	0.04%	0.17%	+0.13%
2	2025-03-30	0.07%	0.04%	-0.03%
3	2025-03-29	—	0.07%	—

Date

Old EPSS score

New EPSS score

Delta (New - Old)

2026-06-15

0.04%

0.17%

+0.13%

2025-03-30

0.07%

0.04%

-0.03%

2025-03-29

—

0.07%

—

Base score	Version	Severity	Vector	Exploitability	Impact	Score source
8.4	3.1	HIGH	`CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H` Click to expand Attack vector (AV:L) They already need access on the box, or another person has to do something wrong; it’s not a remote drive-by. Attack complexity (AC:L) Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup. Privileges required (PR:N) No account or special rights needed—anonymous or random user is enough. User interaction (UI:N) Nobody has to click “OK” or open a trap file; it can work without a victim helping. Scope (S:U) Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems. Confidentiality (C:H) Serious risk that confidential data gets exposed in a big way. Integrity (I:H) They could widely tamper with or forge data—trust in the data is badly hurt. Availability (A:H) Could take the service down hard or make it unusable for people who depend on it.	2.5	5.9	[email protected]
7.2	2.0	HIGH	`AV:L/AC:L/Au:N/C:C/I:C/A:C` Click to expand Access vector (AV:L) Requires local access to the target system. Access complexity (AC:L) Exploitation conditions are straightforward and predictable. Authentication (AU:N) No authentication is required. Confidentiality impact (C:C) Complete confidentiality impact. Integrity impact (I:C) Complete integrity impact. Availability impact (A:C) Complete availability impact.	3.9	10.0	[email protected]

Base score

Version

Severity

Vector

Exploitability

Impact

Score source

8.4

3.1

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Click to expand

Attack vector (AV:L): They already need access on the box, or another person has to do something wrong; it’s not a remote drive-by.
Attack complexity (AC:L): Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:N): No account or special rights needed—anonymous or random user is enough.
User interaction (UI:N): Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U): Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:H): Serious risk that confidential data gets exposed in a big way.
Integrity (I:H): They could widely tamper with or forge data—trust in the data is badly hurt.
Availability (A:H): Could take the service down hard or make it unusable for people who depend on it.

2.5

5.9

[email protected]

7.2

2.0

HIGH

AV:L/AC:L/Au:N/C:C/I:C/A:C Click to expand

Access vector (AV:L): Requires local access to the target system.
Access complexity (AC:L): Exploitation conditions are straightforward and predictable.
Authentication (AU:N): No authentication is required.
Confidentiality impact (C:C): Complete confidentiality impact.
Integrity impact (I:C): Complete integrity impact.
Availability impact (A:C): Complete availability impact.

3.9

10.0

[email protected]

Affected software / configurations for CVE-2020-11260

Vendor	Product	Version	Raw CPE
qualcomm	apq8017_firmware	—	cpe:2.3:o:qualcomm:apq8017_firmware:-:::::::*
qualcomm	apq8053_firmware	—	cpe:2.3:o:qualcomm:apq8053_firmware:-:::::::*
qualcomm	aqt1000_firmware	—	cpe:2.3:o:qualcomm:aqt1000_firmware:-:::::::*
qualcomm	msm8917_firmware	—	cpe:2.3:o:qualcomm:msm8917_firmware:-:::::::*
qualcomm	msm8953_firmware	—	cpe:2.3:o:qualcomm:msm8953_firmware:-:::::::*
qualcomm	pm215_firmware	—	cpe:2.3:o:qualcomm:pm215_firmware:-:::::::*
qualcomm	pm3003a_firmware	—	cpe:2.3:o:qualcomm:pm3003a_firmware:-:::::::*
qualcomm	pm4125_firmware	—	cpe:2.3:o:qualcomm:pm4125_firmware:-:::::::*
qualcomm	pm439_firmware	—	cpe:2.3:o:qualcomm:pm439_firmware:-:::::::*
qualcomm	pm456_firmware	—	cpe:2.3:o:qualcomm:pm456_firmware:-:::::::*
qualcomm	pm6125_firmware	—	cpe:2.3:o:qualcomm:pm6125_firmware:-:::::::*
qualcomm	pm6150_firmware	—	cpe:2.3:o:qualcomm:pm6150_firmware:-:::::::*
qualcomm	pm6150a_firmware	—	cpe:2.3:o:qualcomm:pm6150a_firmware:-:::::::*
qualcomm	pm6150l_firmware	—	cpe:2.3:o:qualcomm:pm6150l_firmware:-:::::::*
qualcomm	pm6250_firmware	—	cpe:2.3:o:qualcomm:pm6250_firmware:-:::::::*
qualcomm	pm6350_firmware	—	cpe:2.3:o:qualcomm:pm6350_firmware:-:::::::*
qualcomm	pm660_firmware	—	cpe:2.3:o:qualcomm:pm660_firmware:-:::::::*
qualcomm	pm660a_firmware	—	cpe:2.3:o:qualcomm:pm660a_firmware:-:::::::*
qualcomm	pm660l_firmware	—	cpe:2.3:o:qualcomm:pm660l_firmware:-:::::::*
qualcomm	pm7150a_firmware	—	cpe:2.3:o:qualcomm:pm7150a_firmware:-:::::::*
qualcomm	pm7150l_firmware	—	cpe:2.3:o:qualcomm:pm7150l_firmware:-:::::::*
qualcomm	pm7250_firmware	—	cpe:2.3:o:qualcomm:pm7250_firmware:-:::::::*
qualcomm	pm7250b_firmware	—	cpe:2.3:o:qualcomm:pm7250b_firmware:-:::::::*
qualcomm	pm7350c_firmware	—	cpe:2.3:o:qualcomm:pm7350c_firmware:-:::::::*
qualcomm	pm8004_firmware	—	cpe:2.3:o:qualcomm:pm8004_firmware:-:::::::*
qualcomm	pm8008_firmware	—	cpe:2.3:o:qualcomm:pm8008_firmware:-:::::::*
qualcomm	pm8009_firmware	—	cpe:2.3:o:qualcomm:pm8009_firmware:-:::::::*
qualcomm	pm8150a_firmware	—	cpe:2.3:o:qualcomm:pm8150a_firmware:-:::::::*
qualcomm	pm8150b_firmware	—	cpe:2.3:o:qualcomm:pm8150b_firmware:-:::::::*
qualcomm	pm8150c_firmware	—	cpe:2.3:o:qualcomm:pm8150c_firmware:-:::::::*
qualcomm	pm8150l_firmware	—	cpe:2.3:o:qualcomm:pm8150l_firmware:-:::::::*
qualcomm	pm8250_firmware	—	cpe:2.3:o:qualcomm:pm8250_firmware:-:::::::*
qualcomm	pm8350_firmware	—	cpe:2.3:o:qualcomm:pm8350_firmware:-:::::::*
qualcomm	pm8350b_firmware	—	cpe:2.3:o:qualcomm:pm8350b_firmware:-:::::::*
qualcomm	pm8350bh_firmware	—	cpe:2.3:o:qualcomm:pm8350bh_firmware:-:::::::*
qualcomm	pm8350bhs_firmware	—	cpe:2.3:o:qualcomm:pm8350bhs_firmware:-:::::::*
qualcomm	pm8350c_firmware	—	cpe:2.3:o:qualcomm:pm8350c_firmware:-:::::::*
qualcomm	pm855_firmware	—	cpe:2.3:o:qualcomm:pm855_firmware:-:::::::*
qualcomm	pm855b_firmware	—	cpe:2.3:o:qualcomm:pm855b_firmware:-:::::::*
qualcomm	pm855l_firmware	—	cpe:2.3:o:qualcomm:pm855l_firmware:-:::::::*
qualcomm	pm855p_firmware	—	cpe:2.3:o:qualcomm:pm855p_firmware:-:::::::*
qualcomm	pm8937_firmware	—	cpe:2.3:o:qualcomm:pm8937_firmware:-:::::::*
qualcomm	pm8953_firmware	—	cpe:2.3:o:qualcomm:pm8953_firmware:-:::::::*
qualcomm	pmi632_firmware	—	cpe:2.3:o:qualcomm:pmi632_firmware:-:::::::*
qualcomm	pmi8937_firmware	—	cpe:2.3:o:qualcomm:pmi8937_firmware:-:::::::*
qualcomm	pmi8952_firmware	—	cpe:2.3:o:qualcomm:pmi8952_firmware:-:::::::*
qualcomm	pmk7350_firmware	—	cpe:2.3:o:qualcomm:pmk7350_firmware:-:::::::*
qualcomm	pmk8002_firmware	—	cpe:2.3:o:qualcomm:pmk8002_firmware:-:::::::*
qualcomm	pmk8003_firmware	—	cpe:2.3:o:qualcomm:pmk8003_firmware:-:::::::*
qualcomm	pmk8350_firmware	—	cpe:2.3:o:qualcomm:pmk8350_firmware:-:::::::*
qualcomm	pmr525_firmware	—	cpe:2.3:o:qualcomm:pmr525_firmware:-:::::::*
qualcomm	pmr735a_firmware	—	cpe:2.3:o:qualcomm:pmr735a_firmware:-:::::::*
qualcomm	pmr735b_firmware	—	cpe:2.3:o:qualcomm:pmr735b_firmware:-:::::::*
qualcomm	pmx50_firmware	—	cpe:2.3:o:qualcomm:pmx50_firmware:-:::::::*
qualcomm	pmx55_firmware	—	cpe:2.3:o:qualcomm:pmx55_firmware:-:::::::*
qualcomm	qat3514_firmware	—	cpe:2.3:o:qualcomm:qat3514_firmware:-:::::::*
qualcomm	qat3516_firmware	—	cpe:2.3:o:qualcomm:qat3516_firmware:-:::::::*
qualcomm	qat3518_firmware	—	cpe:2.3:o:qualcomm:qat3518_firmware:-:::::::*
qualcomm	qat3519_firmware	—	cpe:2.3:o:qualcomm:qat3519_firmware:-:::::::*
qualcomm	qat3522_firmware	—	cpe:2.3:o:qualcomm:qat3522_firmware:-:::::::*
qualcomm	qat3550_firmware	—	cpe:2.3:o:qualcomm:qat3550_firmware:-:::::::*
qualcomm	qat3555_firmware	—	cpe:2.3:o:qualcomm:qat3555_firmware:-:::::::*
qualcomm	qat5515_firmware	—	cpe:2.3:o:qualcomm:qat5515_firmware:-:::::::*
qualcomm	qat5516_firmware	—	cpe:2.3:o:qualcomm:qat5516_firmware:-:::::::*
qualcomm	qat5522_firmware	—	cpe:2.3:o:qualcomm:qat5522_firmware:-:::::::*
qualcomm	qat5533_firmware	—	cpe:2.3:o:qualcomm:qat5533_firmware:-:::::::*
qualcomm	qat5568_firmware	—	cpe:2.3:o:qualcomm:qat5568_firmware:-:::::::*
qualcomm	qbt1500_firmware	—	cpe:2.3:o:qualcomm:qbt1500_firmware:-:::::::*
qualcomm	qbt2000_firmware	—	cpe:2.3:o:qualcomm:qbt2000_firmware:-:::::::*
qualcomm	qca6390_firmware	—	cpe:2.3:o:qualcomm:qca6390_firmware:-:::::::*
qualcomm	qca6391_firmware	—	cpe:2.3:o:qualcomm:qca6391_firmware:-:::::::*
qualcomm	qca6420_firmware	—	cpe:2.3:o:qualcomm:qca6420_firmware:-:::::::*
qualcomm	qca6430_firmware	—	cpe:2.3:o:qualcomm:qca6430_firmware:-:::::::*
qualcomm	qdm2307_firmware	—	cpe:2.3:o:qualcomm:qdm2307_firmware:-:::::::*
qualcomm	qdm2308_firmware	—	cpe:2.3:o:qualcomm:qdm2308_firmware:-:::::::*
qualcomm	qdm2310_firmware	—	cpe:2.3:o:qualcomm:qdm2310_firmware:-:::::::*
qualcomm	qdm3301_firmware	—	cpe:2.3:o:qualcomm:qdm3301_firmware:-:::::::*
qualcomm	qdm3302_firmware	—	cpe:2.3:o:qualcomm:qdm3302_firmware:-:::::::*
qualcomm	qdm4643_firmware	—	cpe:2.3:o:qualcomm:qdm4643_firmware:-:::::::*
qualcomm	qdm4650_firmware	—	cpe:2.3:o:qualcomm:qdm4650_firmware:-:::::::*

References for CVE-2020-11260

URL	Tags
https://www.qualcomm.com/company/product-security/bulletins/january-2021-bulletin	Vendor Advisory

URL

CVE-2020-11260

Exploit prediction scoring system (EPSS) score for CVE-2020-11260

Common vulnerability scoring system (CVSS) metrics for CVE-2020-11260

Weakness enumeration for CVE-2020-11260

Affected software / configurations for CVE-2020-11260

References for CVE-2020-11260