Qualcomm has shipped safety updates to handle three zero-day vulnerabilities that it mentioned have been exploited in restricted, focused assaults within the wild.
The issues in query, which had been responsibly disclosed to the corporate by the Google Android Safety crew, are listed under –
- CVE-2025-21479 and CVE-2025-21480 (CVSS rating: 8.6) – Two incorrect authorization vulnerabilities within the Graphics part that would lead to reminiscence corruption because of unauthorized command execution in GPU microcode whereas executing a selected sequence of instructions
- CVE-2025-27038 (CVSS rating: 7.5) – A use-after-free vulnerability within the Graphics part that would lead to reminiscence corruption whereas rendering graphics utilizing Adreno GPU drivers in Chrome
“There are indications from Google Menace Evaluation Group that CVE-2025-21479, CVE-2025-21480, CVE-2025-27038 could also be beneath restricted, focused exploitation,” Qualcomm mentioned in an advisory.
“Patches for the problems affecting the Adreno Graphics Processing Unit (GPU) driver have been made obtainable to OEMs in Might along with a robust advice to deploy the replace on affected gadgets as quickly as doable.”
There are at present no particulars on how the vulnerabilities are being exploited, in what context, and by whom. That mentioned, related flaws in Qualcomm chipsets (CVE-2023-33063, CVE-2023-33106, and CVE-2023-33107) have been weaponized prior to now by purveyors of business spyware and adware like Variston and Cy4Gate.
Final December, Amnesty Worldwide revealed that one other safety flaw in Qualcomm (CVE-2024-43047) had been exploited by the Serbian Safety Data Company (BIA) and the Serbian police to unlock seized Android gadgets belonging to activists, journalists, and protestors utilizing Cellebrite’s knowledge extraction software program to realize elevated entry and deploy an Android spyware and adware known as NoviSpy.
