Full Report
Qualcomm has shipped security updates to address three zero-day vulnerabilities that it said have been exploited in limited, targeted attacks in the wild. The flaws in question, which were responsibly disclosed to the company by the Google Android Security team, are listed below - CVE-2025-21479 and CVE-2025-21480 (CVSS score: 8.6) - Two incorrect authorization vulnerabilities in the Graphics
Analysis Summary
# Vulnerability: Zero-Days in Qualcomm Adreno GPU Driver Exploited in Targeted Android Attacks
## CVE Details
- CVE ID: CVE-2025-21479, CVE-2025-21480, CVE-2025-27038
- CVSS Score: 8.6 (High) for CVE-2025-21479 and CVE-2025-21480; 7.5 (High) for CVE-2025-27038
- CWE: (Not explicitly specified, related to Access Control/Authorization and Memory Corruption)
## Affected Systems
- Products: Qualcomm Adreno Graphics Processing Unit (GPU) drivers/components.
- Versions: Affected versions are not specified, but patches have been made available to OEMs (Original Equipment Manufacturers).
- Configurations: Vulnerabilities are triggered during graphics rendering or execution of a specific sequence of commands in the GPU microcode.
## Vulnerability Description
Three zero-day vulnerabilities were found in the Qualcomm Graphics component affecting the Adreno GPU drivers:
1. **CVE-2025-21479 & CVE-2025-21480 (Score 8.6):** Two incorrect authorization vulnerabilities within the Graphics component. Exploitation can lead to memory corruption via unauthorized command execution in the GPU microcode when processing a specific sequence of commands.
2. **CVE-2025-27038 (Score 7.5):** A use-after-free vulnerability within the Graphics component that occurs while rendering graphics using Adreno GPU drivers in Chrome. This can also lead to memory corruption.
## Exploitation
- Status: Indications from Google Threat Analysis Group suggest **limited, targeted exploitation in the wild**.
- Complexity: Not explicitly detailed, but zero-days exploited in targeted attacks usually imply significant complexity or specific access requirements.
- Attack Vector: The context (GPU memory corruption, graphics rendering) suggests potential for **Remote** or **Local** code execution, likely via specially crafted media or application usage.
## Impact
- Confidentiality: High (Potential for data access/leakage through memory corruption on a compromised device)
- Integrity: High (Potential for arbitrary code execution or system modification)
- Availability: High (Potential for system crash or denial of service through memory corruption)
## Remediation
### Patches
- Qualcomm made patches available to OEMs in **May** (2025) with a strong recommendation for immediate deployment on affected devices.
- Affected Android devices should receive subsequent security updates containing these fixes.
### Workarounds
- No official workarounds are listed in the summary, but as these are low-level GPU/driver flaws, stopping the specific sequence of commands or isolating rendering processes might offer temporary, manual mitigation if patches are unavailable (not recommended over patching).
## Detection
- Detection methods are not detailed. The primary indicator of compromise would be the application of malicious payloads intended to trigger the specific GPU command sequences or rendering conditions leading to memory corruption.
- Given the context of targeted attacks, monitoring for unusual application behavior related to graphics processing or hardware-level crashes may be relevant.
## References
- Vendor Advisories: Qualcomm Security Advisory (details not provided, referenced internally by Google TAG findings).
- Relevant links:
- Previously related Qualcomm vulnerabilities: hxxps://thehackernews.com/2023/12/qualcomm-releases-details-on-chip.html
- Context on spyware use against similar flaws: hxxps://thehackernews.com/2024/02/global-coalition-and-tech-giants-unite.html
- Context on other Qualcomm exploitation: hxxps://thehackernews.com/2024/12/novispy-spyware-installed-on.html