In June 2025, Qualcomm, a leading mobile chip manufacturer, released urgent security patches addressing three critical zero-day vulnerabilities in its Adreno GPU drivers. These vulnerabilities, identified as CVE-2025-21479, CVE-2025-21480, and CVE-2025-27038, were actively exploited in targeted attacks against Android users worldwide.
Overview of the Vulnerabilities
The vulnerabilities were discovered through collaborative efforts between Qualcomm and Google’s Android Security team. The two critical authorization flaws, CVE-2025-21479 and CVE-2025-21480, were reported in late January 2025, while the use-after-free vulnerability, CVE-2025-27038, was identified in March 2025. This timeline underscores the continuous nature of security research targeting mobile GPU drivers.
Details of the Vulnerabilities
1. CVE-2025-21479 and CVE-2025-21480: Both vulnerabilities are classified as critical, with CVSS scores of 8.6. They involve incorrect authorization flaws in the Graphics component, allowing memory corruption through unauthorized command execution in GPU microcode during specific command sequences. Exploitation of these flaws can lead to elevated privileges and potential system compromise.
2. CVE-2025-27038: This vulnerability carries a CVSS score of 7.5 and represents a use-after-free flaw in the Graphics component. It causes memory corruption during graphics rendering through Adreno GPU drivers, specifically within the Chrome browser. Attackers can exploit this flaw to bypass browser isolation mechanisms and execute arbitrary code on the target system.
Impact and Exploitation
The vulnerabilities affect Qualcomm’s Adreno GPU framework and can be triggered through specially crafted command sequences transmitted to the GPU driver. For the Chrome-related vulnerability, attackers can exploit the flaw through malicious web content that triggers graphics rendering operations. Security researchers note that these types of GPU vulnerabilities are particularly valuable to commercial spyware operators and advanced persistent threat groups seeking to escalate privileges on compromised devices.
Response and Mitigation
Qualcomm distributed patches for all three vulnerabilities to Original Equipment Manufacturers (OEMs) in May 2025, accompanied by strong recommendations for immediate deployment. The company emphasizes that device manufacturers should prioritize these updates, given the active exploitation status. Users are advised to contact their device manufacturers for specific information about patch availability for their devices.
Broader Context
The discovery highlights ongoing security challenges in mobile GPU drivers, which represent attractive targets for sophisticated attackers. Commercial spyware vendors and state-sponsored threat actors have previously weaponized similar Qualcomm vulnerabilities. The rapid disclosure and patching timeline demonstrates improved coordination between security researchers, chipset manufacturers, and device vendors in addressing critical mobile security threats.
Recommendations for Users
Users should ensure their Android devices receive the latest security updates and monitor manufacturer communications regarding patch availability. Regularly updating device software is crucial in protecting against known vulnerabilities and potential exploits.
