Recommended reading

Qualcomm finally patches Adreno GPU zero-day flaws used in Android attacks

News
By published

Three flaws, abused for several months, have finally been fixed

Qualcomm
Image credit: Shutterstock (Image credit: Shutterstock)
  • Qualcomm has addressed three zero-days abused since January 2025
  • The patches must now be applied by OEMs
  • No details about in-the-wild abuse, but users should still be on guard

Qualcomm has finally patched three Adreno GPU zero-day vulnerabilities that were being abused in the wild.

According to the June 2025 Android Security Bulletin, the chipmaker has now fixed CVE-2025-21479, CVE-2025-21480, and CVE-2025-27038.

The first two are incorrect authorization flaws in the Graphics component. They were given a severity score of 8.6/10 (high), and could trigger memory corruption. They were first observed in January 2025. The third bug is a use-after-free vulnerability in the Graphics component that also leads to memory corruption. This one was given a lower severity score - 7.5/10.

Payment information intact

"There are indications from Google Threat Analysis Group that CVE-2025-21479, CVE-2025-21480, CVE-2025-27038 may be under limited, targeted exploitation," Qualcomm explained.

"Patches for the issues affecting the Adreno Graphics Processing Unit (GPU) driver have been made available to OEMs in May together with a strong recommendation to deploy the update on affected devices as soon as possible."

Now, it’s up to different device manufacturers, such as Samsung, Google OnePlus, or Xiaomi, to apply these patches in their products.

The affected devices span a wide range of Qualcomm chipsets, including flagship models like the Snapdragon 8 Gen 2 and Gen 3, as well as midrange and budget platforms such as the Snapdragon 695, 778G, and 4 Gen 1/2.

There are currently no details on who abused these flaws, against whom, and to what end, however similar vulnerabilities were seen used in the past in spyware campaigns such as Variston and Cy4Gate.

A separate Qualcomm bug (CVE-2024-43047) was used by Serbian secret service agency, BIA, in December 2024, to unlock Android devices seized from journalists, activists, and protestors, the same source claims.

Via The Hacker News

You might also like

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.