CVE-2026-40003 PUBLISHED

USB-based arbitrary memory write vulnerability in ZTE ZX297520V3 soc BootROM

Assigner: zte
Reserved: 08.04.2026 Published: 07.05.2026 Updated: 07.05.2026

ZTE ZX297520V3 BootROM contains a vulnerability that allows arbitrary memory writes via USB. Attackers can exploit the lack of target address validation in the USB download mode to write data to any location in BootROM runtime memory, thereby overwriting the stack, hijacking the execution flow, bypassing the Secure Boot signature verification mechanism, and achieving unauthorized code execution.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:P/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:L
CVSS Score: 5.1

Attack Vector	Physical	Scope	Unchanged
Attack Complexity	High	Confidentiality Impact	Low
Privileges Required	None	Integrity Impact	High
User Interaction	Required	Availability Impact	Low

CVSS 3.1

Product Status

Vendor	ZTE
Product	ZX297520V3 BootROM
Versions	Default: unaffected Version 7520V3 chip is affected

Credits

rva3 finder

References

https://support.zte.com.cn/zte-iccp-isupport-webui/bulletin/detail/2144487415169560645

Problem Types

CWE-787 Out-of-bounds write CWE

Impacts

CAPEC-124 Shared Resource Manipulation