Cell chipmaker Qualcomm has issued pressing safety patches for 3 essential zero-day vulnerabilities in its Adreno GPU drivers which can be actively being exploited in focused assaults towards Android customers worldwide.
The corporate confirmed that patches for the vulnerabilities have been distributed to gadget producers with robust suggestions for instant deployment.
The Google Risk Evaluation Group has supplied indications that three vulnerabilities, CVE-2025-21479, CVE-2025-21480, and CVE-2025-27038,”could also be beneath restricted, focused exploitation.”
This represents a big safety risk as billions of Android units worldwide depend on Qualcomm’s Adreno GPU know-how throughout a number of smartphone producers, together with Samsung, Google, Xiaomi, and OnePlus.
0-Day Vulnerabilities Exploited
CVE-2025-21479 and CVE-2025-21480 are categorized as essential vulnerabilities with CVSS scores of 8.6, representing incorrect authorization flaws within the Graphics part.
These vulnerabilities allow reminiscence corruption by unauthorized command execution in GPU microcode throughout particular command sequences. Attackers can exploit these flaws to execute rogue instructions that corrupt system reminiscence, doubtlessly resulting in elevated privileges and system compromise.
CVE-2025-27038 carries a CVSS rating of seven.5 and represents a use-after-free vulnerability within the Graphics part. This flaw causes reminiscence corruption throughout graphics rendering by Adreno GPU drivers, particularly throughout the Chrome browser.
The vulnerability might be exploited to bypass browser isolation mechanisms and execute arbitrary code on the goal system.
All three vulnerabilities have been responsibly disclosed to Qualcomm by the Google Android Safety crew. The 2 essential authorization flaws (CVE-2025-21479 and CVE-2025-21480) have been reported in late January 2025, whereas the Chrome-related use-after-free vulnerability (CVE-2025-27038) was communicated in March. This timeline demonstrates the continued nature of safety analysis efforts concentrating on cell GPU drivers.
The vulnerabilities have an effect on Qualcomm’s Adreno GPU framework and might be triggered by specifically crafted command sequences transmitted to the GPU driver. For the Chrome-related vulnerability, attackers can exploit the flaw by malicious internet content material that triggers graphics rendering operations.
Safety researchers notice that these kinds of GPU vulnerabilities are notably helpful to industrial spy ware operators and superior persistent risk teams looking for to escalate privileges on compromised units.
Qualcomm distributed patches for all three vulnerabilities to Authentic Tools Producers (OEMs) in Could 2025, accompanied by robust suggestions for instant deployment.
The corporate emphasizes that gadget producers ought to prioritize these updates, given the energetic exploitation standing. Customers are suggested to contact their gadget producers for particular details about patch availability for his or her units.
The invention highlights ongoing safety challenges in cell GPU drivers, which characterize engaging targets for classy attackers. Business spy ware distributors and state-sponsored risk actors have beforehand weaponized related Qualcomm vulnerabilities.
The speedy disclosure and patching timeline demonstrates improved coordination between safety researchers, chipset producers, and gadget distributors in addressing essential cell safety threats.
Customers ought to guarantee their Android units obtain the most recent safety updates and monitor producer communications relating to patch availability for his or her particular gadget fashions.
Discover this Information Fascinating! Observe us on Google Information, LinkedIn, & X to Get Immediate Updates!
