Qualcomm has issued fixes for three zero-day vulnerabilities in its Adreno GPU driver, which are being exploited in targeted cyberattacks.
Two of the flaws, CVE-2025-21479 and CVE-2025-21480, involve improper authorization in the graphics framework and can result in memory corruption, while the third, CVE-2025-27038, is a use-after-free bug triggered during Chrome graphics rendering.
These security holes were reported by Google’s Android and Threat Analysis teams, which noted evidence of limited active exploitation. Patches were distributed to device manufacturers in May, with Qualcomm urging immediate deployment.
Additionally, the company resolved a buffer over-read vulnerability (CVE-2024-53026) in its network stack, which could allow attackers to access sensitive data during VoLTE or VoWiFi calls.
Qualcomm previously patched other exploited flaws, including one allegedly used by Serbian authorities to extract data from Android devices using Cellebrite tools. The company continues to address ongoing threats, as its chipsets have frequently been targeted due to the sensitive data they handle.
Read more...