Qualcomm has released urgent security updates addressing three critical zero-day vulnerabilities in their Adreno Graphics Processing Units (GPUs). These vulnerabilities are currently being actively exploited in targeted attacks, according to findings from the Google Android Security team. The discovery highlights significant security concerns for devices utilizing Qualcomm’s widespread GPU technology.
Technical Analysis of the Zero-Day Vulnerabilities
Two severe authorization flaws (tracked as CVE-2025-21479 and CVE-2025-21480) have been identified in the Graphics component, both receiving a CVSS score of 8.6. These vulnerabilities enable attackers to trigger memory corruption by executing unauthorized instructions within the GPU microcode context through specific command sequences. The technical severity of these flaws presents a substantial risk to affected devices.
The third vulnerability (CVE-2025-27038), rated with a CVSS score of 7.5, manifests as a use-after-free condition in the graphics component. This flaw can lead to memory compromise during graphics processing in Chrome browser sessions utilizing Adreno GPU drivers, potentially allowing attackers to execute arbitrary code.
Impact Assessment and Affected Systems
The vulnerabilities affect a broad range of devices incorporating Qualcomm’s Adreno GPUs, including smartphones, tablets, and IoT devices. The active exploitation of these flaws in the wild makes them particularly concerning, as they could potentially lead to complete device compromise, data theft, and unauthorized surveillance.
Mitigation Strategies and Security Updates
Qualcomm has distributed necessary patches to Original Equipment Manufacturers (OEMs) in May 2024. Security experts strongly recommend implementing these updates immediately across all affected devices. Organizations should prioritize patch deployment and monitor for any signs of exploitation attempts.
Historical Context and Threat Analysis
These vulnerabilities bear similarities to previous Qualcomm chipset exploits (CVE-2023-33063, CVE-2023-33106, and CVE-2023-33107) that were weaponized by commercial spyware developers like Variston and Cy4Gate. The pattern suggests a continuing trend of sophisticated actors targeting mobile device hardware vulnerabilities for surveillance purposes.
Users of devices with Adreno GPUs should immediately check for and install available security updates. Organizations should implement comprehensive security monitoring solutions and maintain robust incident response procedures. The severity of these vulnerabilities, combined with their active exploitation, emphasizes the critical importance of prompt patching and continuous security vigilance in protecting against advanced persistent threats targeting mobile devices.
