Qualcomm has released urgent security updates to fix three zero-day vulnerabilities in its Adreno GPU drivers that are being actively exploited in targeted attacks.
Two of the flaws, tracked as CVE-2025-21479 and CVE-2025-21480, are critical and were first reported by Google’s Android Security team in January 2025. The third, CVE-2025-27038, is a high-severity issue reported in March. All three affect multiple Qualcomm chipsets and are already being used in limited attacks, according to Google’s Threat Analysis Group (TAG).
The first two vulnerabilities involve incorrect authorization in the GPU graphics framework. When a specific sequence of commands is sent to the GPU micronode, it can lead to unauthorized command execution and memory corruption. The third flaw is a use-after-free issue that occurs when rendering graphics using Adreno GPU drivers in Google Chrome, also resulting in memory corruption.
Qualcomm confirmed the targeted attacks in a security advisory published Monday. “There are indications from Google Threat Analysis Group that CVE-2025-21479, CVE-2025-21480, CVE-2025-27038 may be under limited, targeted exploitation,” the company said.
Patches have been made available to device manufacturers since May, and Qualcomm strongly recommends that these fixes be deployed immediately to protect users.
In addition to the GPU-related flaws, Qualcomm also addressed another vulnerability this month—CVE-2024-53026. This buffer over-read in the Data Network Stack & Connectivity module could allow attackers to access sensitive information during VoLTE or VoWiFi calls by sending invalid RTCP packets.
Qualcomm has faced similar issues in the past. In October 2024, it patched another zero-day (CVE-2024-43047) that was exploited by Serbian authorities to unlock Android devices using Cellebrite’s forensic tools. That attack was linked to spyware known as NoviSpy, which Google TAG found to be bypassing Android’s security systems and installing itself deeply in the device’s kernel.
In 2023, Qualcomm also warned about three other zero-day bugs being exploited in the wild, again involving its GPU and DSP (digital signal processing) drivers.
Over the years, Qualcomm has patched many security flaws across its chipsets, some of which could let attackers access text messages, call history, photos, videos, and even live audio from affected devices.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
Device users are advised to keep their systems updated as OEMs begin rolling out these latest patches.
