
Qualcomm has released critical security updates to address three zero-day vulnerabilities discovered in the Adreno GPU drivers, which are widely deployed across Android devices. All three flaws are currently being actively exploited in targeted attacks, as confirmed by experts from Google’s Threat Analysis Group (TAG). The patches were distributed to device manufacturers in May, accompanied by an urgent recommendation for immediate integration.
Two of the identified vulnerabilities—CVE-2025-21479 and CVE-2025-21480—stem from flaws in the GPU framework’s authorization mechanisms. These allow the execution of unauthorized commands within the GPU’s micronode, resulting in memory corruption. The vulnerabilities can be triggered via specially crafted command sequences passed to the driver. Both issues were initially discovered in January by Google’s Android security team.
The third vulnerability, CVE-2025-27038, is classified as a use-after-free error and was identified in March. It causes memory corruption during graphics processing via the Adreno driver in the Chrome browser. This flaw may be leveraged to bypass browser sandboxing and execute arbitrary code within the system. Of particular concern is that all three vulnerabilities have already been weaponized in real-world attacks, a fact corroborated by Google TAG.
Qualcomm has emphasized that patches have already been delivered to OEM partners and should be deployed to devices without delay. However, the fragmented nature of the Android ecosystem often leads to protracted update rollouts due to complex supply chains and certification processes.
Back in October 2024, Qualcomm was embroiled in a high-profile security incident involving CVE-2024-43047, which was exploited to compromise smartphones belonging to activists and journalists in Serbia. The country’s Security Intelligence Agency (BIA) and police reportedly used Cellebrite’s forensic tools to access device contents, circumventing screen lock protections. This same vulnerability allowed attackers to bypass Android’s built-in security controls and gain system-level access.
Google TAG’s investigation later revealed that in several instances, the attacks were accompanied by the deployment of the spyware NoviSpy. This malware achieved persistence by embedding itself at the kernel level through a sophisticated exploit chain, enabling remote control of devices and covert data collection.
These events follow a series of previous campaigns: in 2023, Qualcomm had already reported the active exploitation of three other zero-day flaws in its GPU and Compute DSP drivers. All were abused in-the-wild prior to patch release, underscoring the persistent interest of advanced threat actors in Qualcomm’s chipset architecture.
Over the past few years, Qualcomm has regularly addressed critical vulnerabilities that allowed unauthorized actors to access text messages, call histories, multimedia content, and even conduct live eavesdropping. Driver-level attacks are particularly perilous, as they can circumvent Android’s standard protections and penetrate deeply into core system components.
In light of the growing wave of targeted attacks, Qualcomm once again underscores the urgent need for timely deployment of security updates. Ultimately, user protection hinges on how swiftly device manufacturers and mobile carriers disseminate these patches across the broader consumer ecosystem.