Qualcomm’s new GBL exploit brings bootloader unlocking to flagship Androids

Update, March 14, 2026 (06:38 am ET): A Qualcomm spokesperson shared the following statement with us:

Developing technologies that strive to support strong security and privacy is a priority for Qualcomm Technologies. We congratulate the researchers at the Xiaomi ShadowBlade Security Lab for using coordinated disclosure practices. Regarding your GBL-related investigation, fixes were made available to our customers in early March 2026. We encourage end users to apply security updates as they become available from device manufacturers.

The statement attributes the research behind the GBL exploit to the Xiaomi ShadowBlade Security Lab and notes that the fixes were made available to Android brands earlier this month. Qualcomm’s statement also encourages users to install security updates as soon as they are available; However, please note that this will close the loophole used to unlock the bootloader.

Original article, March 12, 2026 (12:56 pm ET): He Snapdragon 8 Elite Generation 5 is Qualcomm’s newest flagship SoC and is undoubtedly one of the best chips you can find anywhere. top Android flagships. We are seeing widespread adoption of the SoC in phones like the Xiaomi 17 series, the OnePlus 15 and even the recently launched. Galaxy S26 Ultra. This week, a new exploit came to light that appears to affect Qualcomm SoCs, primarily the latest Snapdragon 8 Elite Gen 5, allowing users to unlock the bootloader on phones that were previously notoriously difficult to unlock.

What is the Qualcomm GBL exploit?

A new exploit, called “Exploitation of Qualcomm GBL“, has been floating around the Internet for the past few days. While the identity of the discoverer is controversial, this exploit appears to target an oversight in how GBL (Generic Bootloader Library) loads on modern Android smartphones powered by Qualcomm SoC.

In a nutshell, Qualcomm’s vendor-specific Android Bootloader (ABL) attempts to load the GBL from the “efisp” partition on phones that ship with Android 16. But in doing so, Qualcomm ABL simply looks for a UEFI app on that partition, rather than verifying its authenticity as a GBL. This opens the possibility of loading unsigned code to the efisp partition, which is executed without verification. This forms the core of Qualcomm’s GBL exploit.

The GBL exploit is chained with other vulnerabilities

However, writing to the efisp partition is not possible by default because SELinux is set to Enforcing, which blocks disallowed actions. To allow writing to the efisp partition, SELinux must be set to permissive mode, which can be done if you have root access. However, Permissive SELinux is required to unlock the bootloader via the GBL exploit and gain root privileges, leaving you back at square one.

This is where another vulnerability comes into play.

Qualcomm’s ABL accepts a fastboot command called “fastboot oem set-gpu-preemption” which accepts “0” or “1” as the first parameter. However, this command also seems to unintentionally accept input arguments without any checking or sanitization, allowing you to arbitrarily add custom parameters to the command line. This, in turn, is used to add the “androidboot.selinux=permissive” parameter and change SELinux from Enforcing to Permissive.

Surprisingly, the above command converts SELinux to Permissive.

After reboot, ABL loads the custom UEFI application without any verification, thanks to the GBL exploit. The custom UEFI application then proceeds to unlock the bootloader by setting both is_unlocked and is_unlocked_critical to “1”, which is exactly what the “normal”OEM fastboot unlockThe command does it too.

Xiaomi had introduced strict time-based criteria, questionnaires and limited devices for bootloader unlocking on its phones aimed at the Chinese market. The process was so strict that most users eventually gave up on the idea of ​​unlocking the bootloader – until now, that is.

The reports indicate that Xiaomi will soon patch the app used in the exploit chain, and may have already done so with the latest versions of Hyper OS 3.0.304.0 released yesterday in China. Most instructions circulating on the Internet about this exploit chain recommend users disconnect their phones from the Internet and not update the firmware.

Does the GBL exploit work on other phones?

It’s not immediately clear if the GBL exploit can work on other Qualcomm SoCs beyond the Snapdragon 8 Elite Gen 5. However, since GBL is introduced with Android 16, it appears to be a requirement for now.

The GBL exploit should affect all OEMs (except Samsung, which uses its own S-Boot instead of Qualcomm’s ABL). However, the chain of vulnerabilities will be different to achieve a successful outcome.

From what I can see, Qualcomm has they already fixed the checks in it fastboot oem set-gpu-preemption domain. and even for other commands as fastboot oem set-hw-fence-value that were not part of the exploitation chain but could be exploited in a similar way. However, it is unclear whether the basic GBL exploit has been fixed and, if so, whether the fix has spread to Android OEMs and then been rolled out to consumers.

We’ve reached out to Qualcomm to learn more about the GBL exploit and whether it has been fixed yet. We will update this article when we hear from the company or if we learn more technical details from other sources.

Thanks to the developer roger ortiz For your help in rebuilding this!