Robert Triggs / Android Authority
TL;DR
- Vulnerability in Qualcomm’s Android Bootloader allows unsigned code to run on Android 16 devices via the “efisp” partition.
- This is combined with the “fastboot” command control to bypass SELinux and obtain the necessary permissions to unlock the bootloader.
- This is further chained with a vulnerability in Xiaomi’s Hyper OS to allow unlocking the bootloader on the Xiaomi 17 series and more. Although the chain of vulnerabilities may be different, other Snapdragon 8 Elite Gen 5 phones may also be affected.
Update, March 14, 2026 (6:38 a.m. ET): A Qualcomm spokesperson shared the following statement with us:
Developing technologies that support strong security and privacy is a priority for Qualcomm Technologies. We commend the Xiaomi ShadowBlade Security Lab researchers for using coordinated disclosure practices. Regarding their research on GBL, the revisions were made available to our customers in early March 2026. We encourage end users to apply security updates as they become available from device manufacturers.
The statement attributed the research behind the GBL exploit to the Xiaomi ShadowBlade Security Lab, and noted that fixes were rolled out to Android brands earlier this month. Qualcomm’s statement also encourages users to install security updates as they become available; but note that this will close the gap used to unlock the bootloader.
Original article, March 12, 2026 (12:56 PM ET): The Snapdragon 8 Elite Gen 5 It’s the latest flagship SoC from Qualcomm, and it’s certainly one of the best chips you’ll find. the best Android flagships. We are seeing widespread adoption of the SoC in the Xiaomi 17 series, OnePlus 15 and even recently launched phones. Galaxy S26 Ultra. A new exploit has surfaced this week affecting Qualcomm SoCs, primarily the latest Snapdragon 8 Elite Gen 5, allowing users to unlock the bootloader on phones that were previously very difficult to unlock.
Don’t want to miss out on the best Android Authority?
What is the Qualcomm GBL Exploit?
“New Exploitation”Qualcomm GBL Exploit,” has been making the rounds on the internet for the past few days. Although the identity of the discoverer is disputed, the exploit is believed to be from GBL (Generic Bootloader Library) is loaded onto modern Android smartphones running on Qualcomm SoCs.
In short, Qualcomm’s vendor-specific Android Loader (ABL) tries to load GBL from the “efisp” partition on phones that ship with Android 16. However, instead of checking the authenticity of the Qualcomm ABL GBL, it checks the UEFI implementation on that partition. This opens up the possibility of loading unsigned code into an efisp section that is executed unchecked. This is the basis of the Qualcomm GBL exploit.
GBL exploitation is chained with other vulnerabilities
However, writing to the efisp partition is not possible by default because SELinux is set to Enforce, which blocks unauthorized actions. To allow writing to the efisp partition, you need to set SELinux to Permissive mode, which can be done if you have root access. However, unlocking the bootloader and gaining root privileges via the GBL exploit requires Permissive SELinux itself, bringing you back to square one.
Here comes another weakness.
Qualcomm’s ABL “accepts a fast boot command called”fastboot oem set-gpu-preemption” as the first parameter accepts “0” or “1.” However, this command also accepts incoming arguments without any validation or sanitization, and allows you to add arbitrary custom parameters to the command line. This, in turn, is used to add “androidboot.selinux=allow” and switch SELinux from Enforcing to Permissive.
Code
fastboot set-gpu-preemption 0 androidboot.selinux=permissiveThe above command surprisingly changes SELinux to Permissive.
Use GBL exploit to download Xiaomi 17 series
Robert Triggs / Android Authority
After rebooting, ABL loads a custom UEFI application without any checks thanks to the GBL exploit. The custom UEFI software then proceeds to unlock the bootloader by setting both unlocked and critical_opens to “1”, which is the usual “unlock fastboot oem” also commands.
Robert Triggs / Android Authority
Xiaomi has implemented strict time-based, questionnaire-based and device-restricted criteria for unlocking the bootloader on its Chinese-market phones. The process was so rigorous that most users eventually gave up on the idea of unlocking the bootloader – until now, that is.
Reports show Xiaomi will soon patch the software used in the exploit chain, and it may have done so with the latest Hyper OS 3.0.304.0 builds released in China yesterday. Most guides floating around the web about this exploit chain advise users to disconnect their phone from the internet and not update the firmware.
Does the GBL exploit work on other phones?
It’s not immediately clear if the GBL exploit will work on other Qualcomm SoCs beyond the Snapdragon 8 Elite Gen 5. However, as GBL ships with Android 16, this appears to be a requirement for now.
The GBL exploit should affect all OEMs (except Samsung, which uses its own S-Boot instead of Qualcomm’s ABL). However, the chain of vulnerabilities for a successful outcome will be different.
As far as I can see, there is Qualcomm checks have already been fixed on fastboot oem set-gpu-preemption command. and even for other commands as fastboot oem set-hw-fence-value was not part of the exploit chain but could be exploited just the same. However, it is unclear whether the underlying GBL exploit has been patched and, if so, whether the fix has been rolled out to Android OEMs and then released to consumers.
We’ve reached out to Qualcomm to learn more about the GBL exploit and whether it has yet to be fixed. We’ll update this article when we hear back from the company or learn more technical details from other sources.
Thanks to the developer Roger Ortiz for helping put this together!
Thank you for being a part of our community. Read our Comment Policy before deployment.
