- Qualcomm has addressed three zero-days abused since January 2025
- The patches must now be applied by OEMs
- No details about in-the-wild abuse, but users should still be on guard
Qualcomm has finally patched three Adreno GPU zero-day vulnerabilities that were being abused in the wild.
According to the June 2025 Android Security Bulletin, the chipmaker has now fixed CVE-2025-21479, CVE-2025-21480, and CVE-2025-27038.
The first two are incorrect authorization flaws in the Graphics component. They were given a severity score of 8.6/10 (high), and could trigger memory corruption. They were first observed in January 2025. The third bug is a use-after-free vulnerability in the Graphics component that also leads to memory corruption. This one was given a lower severity score – 7.5/10.
Payment information intact
“There are indications from Google Threat Analysis Group that CVE-2025-21479, CVE-2025-21480, CVE-2025-27038 may be under limited, targeted exploitation,” Qualcomm explained.
“Patches for the issues affecting the Adreno Graphics Processing Unit (GPU) driver have been made available to OEMs in May together with a strong recommendation to deploy the update on affected devices as soon as possible.”
Now, it’s up to different device manufacturers, such as Samsung, Google OnePlus, or Xiaomi, to apply these patches in their products.
The affected devices span a wide range of Qualcomm chipsets, including flagship models like the Snapdragon 8 Gen 2 and Gen 3, as well as midrange and budget platforms such as the Snapdragon 695, 778G, and 4 Gen 1/2.
There are currently no details on who abused these flaws, against whom, and to what end, however similar vulnerabilities were seen used in the past in spyware campaigns such as Variston and Cy4Gate.
A separate Qualcomm bug (CVE-2024-43047) was used by Serbian secret service agency, BIA, in December 2024, to unlock Android devices seized from journalists, activists, and protestors, the same source claims.
Via The Hacker News
Leave a comment