Tracking 4049 chipset vulnerabilities across 6866 different smartphone models.

What is this about?

Every smartphone contains a chipset, enabling functionality such as calls, data connectivity, Bluetooth and WiFi communication, digital image processing and more. Detecting and addressing chipset vulnerabilities is crucial for optimal smartphone security. However, information on these vulnerabilities is scattered across chipset manufacturers' websites, AOSP's Security Bulletins, and OEM websites. Our website consolidates this data for a unified and accessible view.

Vulnerabilities

Explore trends
4049
+40 in February 2025
Monthly amount of published vulnerabilities

Phone models

Show all
6866

Chipsets

Show all
637
each affected by 104 vulnerabilities (avg.)
18621
+56 in February 2025
Phone modelCode nameUpdated in
Samsung Galaxy Z Flip5SM-F731BFebruary 2025
Samsung Galaxy Tab A8 10.5 (2021)SM-X205February 2025
Samsung Galaxy Z Fold5SM-F946BFebruary 2025
Samsung Galaxy Tab A8 10.5 (2021)SM-X205February 2025
Samsung Galaxy S24 UltraSM-S928U1February 2025
Samsung Galaxy Z Flip5SM-F731U1February 2025
Samsung Galaxy Tab S9 FESM-X510February 2025
Samsung Galaxy Z Flip5SM-F731BFebruary 2025
Samsung Galaxy A05sSM-A057FFebruary 2025
Samsung Galaxy Z Fold5SM-F946BFebruary 2025
Samsung Galaxy S24SM-S921U1February 2025
Samsung Galaxy S24+SM-S926U1February 2025
Samsung Galaxy Z Fold5SM-F946U1February 2025
Samsung Galaxy A22 5GSM-A226BFebruary 2025
Samsung Galaxy Tab S9+SM-X816BFebruary 2025
Samsung Galaxy Tab S9 FE+SM-X610February 2025
Samsung Galaxy Tab S9 FESM-X510February 2025
Samsung Galaxy A52s 5GSM-A528BFebruary 2025
Samsung Galaxy Tab S9SM-X716BFebruary 2025
Samsung Galaxy Tab S9+SM-X810February 2025
Samsung Galaxy S22 5GSM-S901BFebruary 2025
Samsung Galaxy Tab S9SM-X710February 2025
Samsung Galaxy S22 Ultra 5GSM-S908BFebruary 2025
Samsung Galaxy Tab S9 UltraSM-X910February 2025
Samsung Galaxy S22+ 5GSM-S906BFebruary 2025
Samsung Galaxy Tab S9 UltraSM-X916BFebruary 2025
Samsung Galaxy Tab S9 FESM-X516BFebruary 2025
Samsung Galaxy A22 5GSM-A226BFebruary 2025
Samsung Galaxy S24+SM-S926BFebruary 2025
Samsung Galaxy A52 5GSM-A526BFebruary 2025
And 18591 more...

The big picture.

Our data provides a holistic overview on each phase of the vulnerability lifecycle.

Vulnerability Introduction

Each new chipset release brings exciting features, yet often inherits vulnerabilities from previous generations.

In each new chipset generation...

93 %
of all vulnerabilities are inherhited from previous chipset generations
7%
of all vulnerabilities occur in this chipset generation for the first time

Vulnerability Discovery

Vulnerabilities are either found internally by chipset manufacturers, or by external researchers.

Since 2018, external researchers have found 55% of all published chipset vulnerabilities.

Yearly ratio of published vulnerabilities discovered by external researchers.

The relative amount of externally discovered vulnerabilities differs between chipset manufacturers.

Ratio of published vulnerabilities discovered by external researchers during the past two years, broken down by manufacturer. A lower bar implies that a chipset manufacturer was able to find more vulnerabilities internally.
Ratio of vulnerabilities discovered by chipset manufacturers
Manufacturer20232024
MediaTek10%39%
SAMSUNG LSI60%0%
Qualcomm57%53%
UNISOC7%2%

Patch Development

Once a vulnerability is discovered, the affected chipsets' manufacturer assesses its severity, develops a patch and publishes vulnerability information in the form of a CVE and a bulletin on their website as well as the AOSP.

Severity assessmentAre firmware vulnerabilities more severe?

Firmware

7.8
Median CVSS score of firmware running on chipset co-processors.

Drivers

7.0
Median CVSS score of drivers for chipset functionality.
Time to patch availabilityHow long does it take chipset manufacturers to develop a mitigating patch?

For vulnerabilities published in 2024, it took chipset manufacturers on average 153 days to provide a patch to OEMs, after they have been informed of a vulnerability. This is 0% faster than in 2023.

Based on data provided on the websites of Qualcomm and Samsung.

Update deployment

Time frame from public disclosure to updateUpdates are available for half of all device models within 72 days after a vulnerability is announced.
Time frame from first available updateHalf of all device models have received an update 34 days after the first model affected by that vulnerability.

For researchers.

Our data set aids researchers in tracking vulnerability trends, offering aggregated monthly discovery numbers. This helps focus research efforts on underrepresented or highly vulnerable areas. Additionally, it assesses individual research impact by offering per vulnerability information on impacted chipsets and devices.

Furthermore, evaluating novel vulnerability discovery techniques warrants a representative set of devices to empirically test the success of said techniques. Many chipsets share the same vulnerabilities through code re-use. Manually testing chipsets affected by mostly overlapping sets of vulnerabilities is time consuming, unnecessarily expensive and thus inefficient. Our device picker helps select a variety of devices with chipsets that share fewer vulnerabilities, increasing the likelihood of testing novel implementations rather than re-used ones.

For more information and a detailed analysis of the data presented on this website, please see our paper, to be presented at NDSS'25.
Follow us on Twitter