Qualcomm has shipped security updates to deal with three zero-day vulnerabilities that it stated have been exploited in restricted, focused assaults within the wild.
The issues in query, which had been responsibly disclosed to the corporate by the Google Android Safety workforce, are listed beneath –
- CVE-2025-21479 and CVE-2025-21480 (CVSS rating: 8.6) – Two incorrect authorization vulnerabilities within the Graphics element that would end in reminiscence corruption resulting from unauthorized command execution in GPU microcode whereas executing a selected sequence of instructions
- CVE-2025-27038 (CVSS rating: 7.5) – A use-after-free vulnerability within the Graphics element that would end in reminiscence corruption whereas rendering graphics utilizing Adreno GPU drivers in Chrome
“There are indications from Google Risk Evaluation Group that CVE-2025-21479, CVE-2025-21480, CVE-2025-27038 could also be beneath restricted, focused exploitation,” Qualcomm stated in an advisory.
“Patches for the problems affecting the Adreno Graphics Processing Unit (GPU) driver have been made obtainable to OEMs in Could along with a powerful advice to deploy the replace on affected units as quickly as attainable.”
There are presently no particulars on how the vulnerabilities are being exploited, in what context, and by whom. That stated, related flaws in Qualcomm chipsets (CVE-2023-33063, CVE-2023-33106, and CVE-2023-33107) have been weaponized previously by purveyors of business spyware and adware like Variston and Cy4Gate.
Final December, Amnesty Worldwide revealed that one other security flaw in Qualcomm (CVE-2024-43047) had been exploited by the Serbian Safety Data Company (BIA) and the Serbian police to unlock seized Android units belonging to activists, journalists, and protestors utilizing Cellebrite’s information extraction software program to realize elevated entry and deploy an Android spyware and adware known as NoviSpy.
