200/68 Wednesday, June 4, 2025
Qualcomm has issued patches to address three zero-day vulnerabilities that have been actively exploited in the wild. These flaws were reported by Google’s Android Security team and are tracked as CVE-2025-21479, CVE-2025-21480, and CVE-2025-27038. The company distributed the patches to OEMs in May 2025 and strongly recommends immediate updates.
Details of the Vulnerabilities:
- CVE-2025-21479 (CVSS 8.6): An Incorrect Authorization flaw in the GPU micronode’s graphics processing, allowing unauthorized command execution, which may lead to memory corruption.
- CVE-2025-21480 (CVSS 8.6): A similar Incorrect Authorization vulnerability in the Graphics Windows component, which could also allow attackers to control GPU operations without proper privileges.
- CVE-2025-27038 (CVSS 7.5): A Use-After-Free issue in the Adreno GPU driver that could be triggered via Chrome during graphic rendering, resulting in memory corruption.
Although there are no public technical details on the attackers, Google’s Threat Analysis Group confirmed that these vulnerabilities were used in targeted exploitation campaigns. The incidents appear to be linked to CVE-2024-43047, a previously exploited use-after-free vulnerability in Qualcomm’s Digital Signal Processor (DSP), which has been listed in CISA’s Known Exploited Vulnerabilities (KEV) catalog since October 2024.
Security experts from Google Project Zero and Amnesty International’s Security Lab urge all Android users to apply the latest patches promptly to mitigate the risk of exploitation, especially on devices running affected Qualcomm chipsets.
