- Qualcomm has treated three zero-days abused since January 2025
- The patches are now to be used by OEMs
- No details of abuse of wild but users still need to be on duty
Qualcomm has finally patched three Adreno GPU zero-day vulnerabilities that were abused in nature.
According to Android Security Bulletin in June 2025, the chipmaker now has a fixed CVE-2025-21479, CVE-2025-21480 and CVE-2025-27038.
The first two are incorrect authorization errors in the graphics component. They got a severity of 8.6/10 (high) and were able to trigger memory corruption. They were first observed in January 2025. The third error is a use-after-free vulnerability in the graphics component, which also leads to memory corruption. This one got a lower severity – 7.5/10.
Payment information intact
“There are indications from Google Threat Analysis Group that CVE-2025-21479, CVE-2025-21480, CVE-2025-27038 may be under limited, targeted exploitation,” explained Qualcomm.
“Patches to the problems that affect the Adreno Graphics Processing Unit (GPU) driver has been made available to OEMs in May along with a strong recommendation to implement the update on the affected devices as soon as possible.”
Now it is up to various device manufacturers, such as Samsung, Google OnePlus or Xiaomi, to use these patches in their products.
The affected devices span a wide range of Qualcomm chipset, including flagship models such as Snapdragon 8 Gen 2 and Gen 3, as well as midrange and budget platforms such as Snapdragon 695, 778g and 4 Gen 1/2.
There are currently no details of who abused these missing, against whom and at what end, whether similar vulnerabilities were seen in the past in spyware campaigns such as Variston and Cy4gate.
A separate Qualcomm Bug (CVE-2024-43047) was used by Serbian Secret Service Agency, Bia, in December 2024, to lock Android units seized by journalists, activists and protesters, claims the same source.
Via Hacker the news
