Qualcomm has launched safety patches for 3 zero-day vulnerabilities within the Adreno Graphics Processing Unit (GPU) driver that impression dozens of chipsets and are actively exploited in focused assaults.
The corporate says two important flaws (tracked as CVE-2025-21479 and CVE-2025-21480) had been reported via the Google Android Safety staff in late January, and a 3rd high-severity vulnerability (CVE-2025-27038) was reported in March.
The primary two are each Graphics framework incorrect authorization weaknesses that may result in reminiscence corruption due to unauthorized command execution within the GPU micronode whereas executing a selected sequence of instructions, whereas CVE-2025-27038 is a use-after-free inflicting reminiscence corruption whereas rendering graphics utilizing Adreno GPU drivers in Chrome.
“There are indications from Google Risk Evaluation Group that CVE-2025-21479, CVE-2025-21480, CVE-2025-27038 could also be underneath restricted, focused exploitation,” Qualcomm warned in a Monday advisory.
“Patches for the problems affecting the Adreno Graphics Processing Unit (GPU) driver have been made out there to OEMs in Might along with a robust suggestion to deploy the replace on affected units as quickly as attainable.”
This month, Qualcomm has additionally addressed a buffer over-read in Knowledge Community Stack & Connectivity (CVE-2024-53026) that unauthenticated attackers can exploit to realize entry to restricted info utilizing invalid RTCP packets despatched throughout a VoLTE/VoWiFi IMS calls.
In October, the corporate fastened one other zero-day (CVE-2024-43047) that the Serbian Safety Data Company (BIA) and the Serbian police exploited to unlock seized Android units belonging to activists, journalists, and protestors utilizing Cellebrite’s information extraction software program.
Whereas investigating the assaults, Google’s Risk Evaluation Group (TAG) discovered proof suggesting that units had been additionally contaminated with NoviSpy spy ware utilizing an exploit chain to avoid Android’s safety mechanisms and set up itself persistently on the kernel degree.
One 12 months earlier, Qualcomm additionally warned that menace actors had been exploiting three extra zero-day vulnerabilities in its GPU and Compute DSP drivers.
Lately, the corporate has patched numerous different chipset safety flaws that might let attackers entry customers’ textual content messages, name historical past, media information, and real-time conversations.
Guide patching is outdated. It is sluggish, error-prone, and difficult to scale.
Be a part of Kandji + Tines on June 4 to see why outdated strategies fall brief. See real-world examples of how fashionable groups use automation to patch sooner, minimize threat, keep compliant, and skip the complicated scripts.
