Internet Security

Google fixed two Qualcomm bugs that were actively exploited in the wild

August 6, 2025 add comment

Google addressed multiple Android flaws, including two Qualcomm vulnerabilities that were actively exploited in the wild.

Google released security updates to address multiple Android vulnerabilities, including two Qualcomm flaws, tracked as CVE-2025-21479 (CVSS score: 8.6) and CVE-2025-27038 (CVSS score: 7.5), that were actively exploited in the wild.

In June, Google Android Security team reported three issues, tracked as CVE-2025-21479, CVE-2025-21480, CVE-2025-27038, to Qualcomm.

“There are indications from Google Threat Analysis Group that CVE-2025-21479, CVE-2025-21480, CVE-2025-27038 may be under limited, targeted exploitation.” reads the report published by the vendor. “Patches for the issues affecting the Adreno Graphics Processing Unit (GPU) driver have been made available to OEMs in May together with a strong recommendation to deploy the update on affected devices as soon as possible.”

Below are the descriptions of these vulnerabilities:

  • CVE-2025-21479 (CVSS score: 8.6) – The flaw is an Incorrect Authorization issue in the Graphics component. “Memory corruption due to unauthorized command execution in GPU micronode while executing specific sequence of commands.” reads the advisory.
  • CVE-2025-21480 (CVSS score: 8.6) – The flaw is an Incorrect Authorization issue in Graphics Windows. “Memory corruption due to unauthorized command execution in GPU micronode while executing specific sequence of commands.” reads the advisory.
  • CVE-2025-27038 (CVSS score: 7.5) – The flaw is a use-after-free issue in the Graphics component. “Memory corruption while rendering graphics using Adreno GPU drivers in Chrome.” states the advisory.

The company did not share details about the attacks exploiting the three vulnerabilities.

In early July, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the Qualcomm chipsets flaws to its Known Exploited Vulnerabilities (KEV) catalog.

The most severe flaw addressed by Google is a critical vulnerability, tracked as CVE-2025-48530, in the System component that enabled remote code execution without user interaction or extra privileges, when combined with other bugs.

The company released two Android patch levels, 2025-08-01 and 2025-08-05, with the latter including fixes from Arm and Qualcomm. Users are urged to update as soon as possible.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Android)

Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to our Newsletter