Qualcomm Fixes Three Adreno GPU Flaws Abused in Android Attacks – Source: securityboulevard.com

Chip maker Qualcomm this week issued fixes for three zero-day vulnerabilities in its Adreno GPUs that threat analysts with Google’s Threat Intelligence Group said bad actors could be exploiting against Android device users.

Two of the security flaws, tracked as CVE-2025-21479 and CVE-2025-21480 and reported by Google’s Android Security unit in January, both involve authorization vulnerabilities in the chip’s Graphics component. In each flaw, unauthorized comment execution in the GPU micronode – important features for processing and rendering graphics – while executing a specific sequence of commands.

Exploitation of the vulnerabilities, which both carry a CVSS severity score of 8.6 out of 10, could lead to memory corruption of the chip, according to Qualcomm.

The third, CVE-2025-27038, is a use-after-free vulnerability that could create corruption in memory when rendering graphics using Adreno GPU drivers in Chrome. It has a CVSS score of 7.5.

The patches for the vulnerabilities were issued in May, with Qualcomm pairing them with “a strong recommendation to deploy the update on affected devices as soon as possible.”

‘High Impact Vulnerabilities’

“This table lists high impact security vulnerabilities,” the chip maker wrote. “Patches are being actively shared with OEMs, who have been notified and strongly recommended to deploy those patches on released devices as soon as possible. … There are indications from Google Threat Analysis Group that [all three vulnerabilities] may be under limited, targeted exploitation.”

There were no details about who was possibly exploiting the security flaws or how they were doing it.

A Force in Mobile Devices

Qualcomm and its mobile chips have long been staples in many mobile devices that leverage the power-efficient designs that come with the Arm architecture and Qualcomm’s own technologies. In a diversifying 5G smartphone market, Qualcomm holds the lead among mid-range devices, analysts with Omedia reported last year. However, among the increasingly popular 5G smartphones that come in under the $250 price range, MediaTek is the top choice.

Apple holds the lead in the premium segment, the analysts wrote.

Still, Qualcomm in its latest financial quarter saw  revenue and net income jump, respectively, year-over-year by 17% and 21%. In addition, company executives last month confirmed plans to design and sell CPUs for servers.

Previous Spyware Incident

The company has had to fix other flaws in its chips in the past. In October 2024, Qualcomm issued a fix for another zero-day vulnerability – CVE-2024-43047 – that the Serbian Security Information Agency (BIA) and Serbian police exploited to unlock seized Android devices that belonged to activists, journalists, and protestors in the country. The law enforcement agencies used Cellebrite’s data extraction software to access and deploy NoviSpy. a bespoke Android spyware.

According to Amnesty International, Serbian officials used Cellebrite’s software to exploit a “vulnerability, identified in collaboration with security researchers at Google Project Zero and Threat Analysis Group, affected millions of Android devices worldwide that use the popular Qualcomm chipsets.”

“While less technically advanced than highly-invasive commercial spyware like Pegasus, NoviSpy – a previously unknown Android spyware – still provides Serbian authorities with extensive surveillance capabilities once installed on a target’s device,” the human rights group wrote in its report. “NoviSpy can capture sensitive personal data from a target phone and provide capabilities to turn on a phone’s microphone or camera remotely, while Cellebrite forensic tools are used to both unlock the phone prior to spyware infection and also allow the extraction of the data on a device.”