Qualcomm, a major chipmaker that powers most Android smartphones, has released important security updates to fix three serious zero-day vulnerabilities. These flaws were discovered by Google’s Android Security team and have reportedly been used in real-world, targeted cyberattacks.
The Vulnerabilities
The security issues lie in Qualcomm’s Adreno Graphics Processing Unit (GPU), which is responsible for rendering graphics on Android devices. All three vulnerabilities affect the Graphics component of Qualcomm chips. The details of these security flaws are as follows:
CVE-2025-21479 and CVE-2025-21480
Severity Score: 8.6 (High)
Type: Incorrect Authorization
Risk: These flaws can lead to memory corruption due to unauthorized commands being executed in the GPU microcode. This happens when a specific sequence of commands is run, bypassing normal security checks.
CVE-2025-27038
Severity Score: 7.5 (High)
Type: Use-After-Free
Risk: This vulnerability allows hackers to cause memory corruption when rendering graphics using Adreno GPU drivers, particularly through the Google Chrome browser.
According to Qualcomm, Google’s Threat Analysis Group (TAG) has confirmed that these vulnerabilities are being actively used in limited, targeted attacks. While the company did not disclose who is behind the attacks or what the specific targets are, the urgent patch release and public warning suggest a serious threat level.
Why These Vulnerabilities Matter
Zero-day vulnerabilities are software bugs that are unknown to the vendor and have no available fix at the time of discovery. When hackers exploit these flaws before they are patched, the attacks are extremely dangerous. Since these particular bugs were found in the Adreno GPU—used in millions of Android phones—the potential impact is wide-ranging.
Attackers exploiting these flaws could:
Gain unauthorized access to the system
Corrupt memory to crash devices or steal sensitive data
Execute malicious commands to take over affected phones
Because these attacks are targeted, it is likely that high-profile individuals or organizations—such as journalists, activists, or government agencies—may be the main focus.
What Has Qualcomm Done?
In May, Qualcomm delivered security patches to smartphone manufacturers (also known as OEMs). The company strongly recommends that these OEMs roll out the updates to their devices immediately. However, end users must wait for their phone manufacturers (like Samsung, Xiaomi, or OnePlus) to push these updates in future software releases.
Qualcomm also thanked Google for responsibly disclosing the issues, allowing them time to develop a fix before broader public awareness.
Past Exploits Raise Red Flags
While details about the current attacks remain unknown, history shows that vulnerabilities in Qualcomm chips have been exploited by commercial spyware vendors in the past.
For example:
In 2023, flaws like CVE-2023-33063, CVE-2023-33106, and CVE-2023-33107 were abused by spyware makers such as Variston and Cy4Gate.
In December 2024, Amnesty International revealed that Serbia’s Security Information Agency (BIA) and police used CVE-2024-43047, another Qualcomm flaw, to break into seized Android devices belonging to activists and journalists. They used Cellebrite’s data extraction tools to gain high-level access and deploy a spyware tool known as NoviSpy.
These past incidents highlight how dangerous unpatched Qualcomm vulnerabilities can be, especially when used by state actors or surveillance firms.
For most Android users, the best step is to keep your device updated. While Qualcomm has provided patches to manufacturers, it may take time for updates to reach users. Make sure to:
Regularly check for software updates
Avoid installing apps from untrusted sources
Use a mobile security app to monitor suspicious activity
Pay attention to any abnormal phone behavior, such as overheating, battery drain, or unknown apps
If you’re using a device that’s no longer receiving security updates, consider upgrading to a newer model that is still actively supported.
Qualcomm’s quick response to fix these zero-day vulnerabilities is a positive step, but it also highlights a larger issue: mobile devices, even high-end Android phones, are increasingly being targeted through sophisticated attacks. As chip-level vulnerabilities become more common, both manufacturers and users need to prioritize mobile cybersecurity.
For now, all eyes are on Android phone makers to see how quickly they roll out Qualcomm’s latest security patches. Until then, users should remain cautious and follow best practices to stay protected.
Interesting Article : CVE-2025-5054 and CVE-2025-4598, Linux Core Dump Bugs Leak Passwords
Pingback: Critical Zero-Day Chrome Flaw Under Active Attack: CVE-2025-5419