Qualcomm has launched safety patches for 3 zero-day vulnerabilities within the Adreno Graphics Processing Unit (GPU) driver that impression dozens of chipsets and are actively exploited in focused assaults.
The corporate says two essential flaws (tracked as CVE-2025-21479 and CVE-2025-21480) have been reported by means of the Google Android Safety workforce in late January, and a 3rd high-severity vulnerability (CVE-2025-27038) was reported in March.
The primary two are each Graphics framework incorrect authorization weaknesses that may result in reminiscence corruption due to unauthorized command execution within the GPU micronode whereas executing a particular sequence of instructions, whereas CVE-2025-27038 is a use-after-free inflicting reminiscence corruption whereas rendering graphics utilizing Adreno GPU drivers in Chrome.
“There are indications from Google Risk Evaluation Group that CVE-2025-21479, CVE-2025-21480, CVE-2025-27038 could also be below restricted, focused exploitation,” Qualcomm warned in a Monday advisory.
“Patches for the problems affecting the Adreno Graphics Processing Unit (GPU) driver have been made accessible to OEMs in Might along with a robust suggestion to deploy the replace on affected gadgets as quickly as doable.”
This month, Qualcomm has additionally addressed a buffer over-read in Information Community Stack & Connectivity (CVE-2024-53026) that unauthenticated attackers can exploit to achieve entry to restricted data utilizing invalid RTCP packets despatched throughout a VoLTE/VoWiFi IMS calls.
In October, the corporate mounted one other zero-day (CVE-2024-43047) that the Serbian Safety Data Company (BIA) and the Serbian police exploited to unlock seized Android gadgets belonging to activists, journalists, and protestors utilizing Cellebrite’s knowledge extraction software program.
Whereas investigating the assaults, Google’s Risk Evaluation Group (TAG) discovered proof suggesting that gadgets have been additionally contaminated with NoviSpy spy ware utilizing an exploit chain to avoid Android’s safety mechanisms and set up itself persistently on the kernel stage.
One 12 months earlier, Qualcomm additionally warned that menace actors have been exploiting three extra zero-day vulnerabilities in its GPU and Compute DSP drivers.
In recent times, the corporate has patched varied different chipset safety flaws that would let attackers entry customers’ textual content messages, name historical past, media recordsdata, and real-time conversations.
Guide patching is outdated. It is gradual, error-prone, and hard to scale.
Be part of Kandji + Tines on June 4 to see why previous strategies fall brief. See real-world examples of how fashionable groups use automation to patch quicker, reduce threat, keep compliant, and skip the advanced scripts.
