Which Qualcomm vulnerabilities are actively being exploited?

Three vulnerabilities are confirmed under active exploitation: CVE-2025-21479 (CVSS 8.6), CVE-2025-21480 (CVSS 8.6), and CVE-2025-27038 (CVSS 8.6). All affect Adreno Graphics components and have been identified by Google's Threat Analysis Group as being exploited in limited, targeted attacks.

How does CVE-2025-27038 affect Chrome browsers?

CVE-2025-27038 is a use-after-free vulnerability that affects Graphics components and causes memory corruption while rendering graphics using Adreno GPU drivers in Chrome. It can be exploited to bypass browser isolation mechanisms and execute arbitrary code within Chrome browser environments.

What other high-severity vulnerabilities are included in the Qualcomm bulletin?

Additional high-severity vulnerabilities include CVE-2024-53010 (CVSS 7.8) for improper access control, multiple buffer over-read vulnerabilities in Data Network Stack & Connectivity (CVE-2024-53019, CVE-2024-53020, CVE-2024-53021, CVE-2024-53026 with CVSS 8.2), CVE-2025-27029 (CVSS 7.5) buffer over-read in WLAN HAL, and CVE-2025-27031 (CVSS 7.8) use-after-free in Bluetooth HOST.

Who discovered the actively exploited Qualcomm vulnerabilities?

Google's Threat Analysis Group confirmed that three of the Qualcomm Adreno GPU vulnerabilities (CVE-2025-21479, CVE-2025-21480, and CVE-2025-27038) are under limited, targeted exploitation in the wild.

What should device manufacturers do about these Qualcomm vulnerabilities?

Qualcomm strongly recommends that Original Equipment Manufacturers deploy the available security updates on affected devices as soon as possible, especially given that three of the vulnerabilities are already being actively exploited in targeted attacks.

Advisory

Qualcomm patches actively exploited vulnerabilities in Adreno GPU Drivers

Q: What can attackers do with CVE-2025-21479 and CVE-2025-21480?

CVE-2025-21479 and CVE-2025-21480 are incorrect authorization vulnerabilities that enable attackers to execute rogue commands that corrupt system memory, potentially leading to elevated privileges and system compromise. They allow memory corruption due to unauthorized command execution in GPU micronode while executing specific sequences of commands.

Q: Which Qualcomm chipsets are affected by these vulnerabilities?

The vulnerabilities affect multiple Qualcomm chipsets, including flagship Snapdragon processors from the 8 Gen series, mid-range platforms, and various connectivity modules.

Q: Are patches available for the Qualcomm vulnerabilities?

Yes, Qualcomm has issued patches for these vulnerabilities and strongly recommended that Original Equipment Manufacturers deploy updates on affected devices as soon as possible.

published: June 4, 2025

Take action: Unfortunately, you as users can't apply these patches directly. All you can do is be diligent with updating your phone OS and firmware as the updates from the vendor are released.

Learn More

Qualcomm Technologies has released its June 2025 security bulletin addressing multiple vulnerabilities affecting its Adreno Graphics Processing Unit drivers, with three flaws confirmed to be under limited, targeted exploitation by Google's Threat Analysis Group

Actively exploited flaws

CVE-2025-21479 (CVSS score 8.6) - affects Graphics components with incorrect authorization vulnerability allowing memory corruption due to unauthorized command execution in GPU micronode while executing specific sequence of commands
CVE-2025-21480 (CVSS score 8.6) - affects Graphics Windows components with the same incorrect authorization issue enabling memory corruption through unauthorized command execution in GPU micronode
CVE-2025-27038 (CVSS score 8.6) - affects Graphics components with a use-after-free vulnerability causing memory corruption while rendering graphics using Adreno GPU drivers in Chrome

CVE-2025-21479 and CVE-2025-21480 enable attackers to execute rogue commands that corrupt system memory, potentially leading to elevated privileges and system compromise. CVE-2025-27038 can be exploited to bypass browser isolation mechanisms and execute arbitrary code within Chrome browser environments.

Additional High-Severity Vulnerabilities:

CVE-2024-53010 (CVSS score 7.8) - improper access control in Core components
CVE-2024-53019 (CVSS score 8.2) - buffer over-read in Data Network Stack & Connectivity
CVE-2024-53020 (CVSS score 8.2) - buffer over-read in Data Network Stack & Connectivity
CVE-2024-53021 (CVSS score 8.2) - buffer over-read in Data Network Stack & Connectivity
CVE-2024-53026 (CVSS score 8.2) - buffer over-read in Data Network Stack & Connectivity
CVE-2025-27029 (CVSS score 7.5) - buffer over-read in WLAN HAL
CVE-2025-27031 (CVSS score 7.8) - use-after-free in Bluetooth HOST

The vulnerabilities affect multiple \Qualcomm chipsets, including flagship Snapdragon processors from the 8 Gen series, mid-range platforms, and various connectivity modules. T

The company has issued patches for these vulnerabilities and strongly recommended that Original Equipment Manufacturers deploy updates on affected devices as soon as possible.

Qualcomm patches actively exploited vulnerabilities in Adreno GPU Drivers