Qualcomm fixes three zero-days exploited by hackers, a critical development in the world of cybersecurity, as the chipmaker giant rolled out patches on Monday to address vulnerabilities in dozens of its chipsets. These flaws, identified as CVE-2025-21479, CVE-2025-21480, and CVE-2025-27038, were reported by Google’s Android Security team in February and flagged by Google’s Threat Analysis Group (TAG) as potentially under “limited, targeted exploitation.” This revelation underscores the ongoing battle to secure the billions of devices powered by Qualcomm chips, from smartphones to IoT devices. In this article, we’ll explore the nature of these zero-day vulnerabilities, their implications, Qualcomm’s response, and what users and manufacturers need to know to stay protected.
Key Takeaways
Zero-Day Vulnerabilities: Qualcomm fixes three zero-day exploits (CVE-2025-21479, CVE-2025-21480, CVE-2025-27038) in its Adreno GPU drivers, actively exploited in targeted attacks.
Google’s Role: Google’s Android Security team and Threat Analysis Group identified and reported the vulnerabilities, highlighting their potential use in government-backed cyberattacks.
Patch Availability: Qualcomm released security updates in May 2025, urging OEMs to deploy patches swiftly to protect Android devices.
User Action: Device users should check for software updates from their manufacturers to mitigate risks from these exploited flaws.
Broader Impact: These vulnerabilities affect a wide range of Qualcomm chipsets, emphasizing the need for robust cybersecurity in mobile and IoT ecosystems.
Understanding Zero-Day Vulnerabilities
Contents
- 1 What Are Zero-Day Vulnerabilities?
- 2 Why Zero-Days Are a Prime Target for Hackers
- 3 CVE-2025-21479 and CVE-2025-21480: Incorrect Authorization Flaws
- 4 CVE-2025-27038: Use-After-Free Vulnerability
- 5 Affected Qualcomm Chipsets
- 6 Swift Action by Qualcomm
- 7 Challenges in Patch Distribution
- 8 Google’s TAG and Android Security Team
- 9 Historical Context: Qualcomm’s Previous Zero-Days
- 10 Risks to Device Users
- 11 Responsibilities of OEMs
- 12 Steps for Users
- 13 Best Practices for Cybersecurity
- 14 The Role of Chipmakers in Cybersecurity
- 15 The Future of Zero-Day Mitigation
- 16 1. What are the Qualcomm zero-day vulnerabilities patched in June 2025?
- 17 2. Who discovered these zero-day vulnerabilities?
- 18 3. What devices are affected by these vulnerabilities?
- 19 4. How can I protect my device from these vulnerabilities?
- 20 5. What is a zero-day vulnerability?
- 21 6. Are these vulnerabilities being actively exploited?
- 22 7. When were the patches for these vulnerabilities released?
- 23 8. Why do some devices remain vulnerable after patches are released?
- 24 9. Can these vulnerabilities affect non-Android devices?
- 25 10. What should I do if my device manufacturer hasn’t released a patch?
What Are Zero-Day Vulnerabilities?
Zero-day vulnerabilities are security flaws unknown to the software or hardware vendor at the time of their discovery. This makes them particularly dangerous, as hackers can exploit them before patches are developed, leaving systems defenseless. In Qualcomm’s case, the three zero-days—CVE-2025-21479, CVE-2025-21480, and CVE-2025-27038—affect the Adreno GPU drivers, critical components in rendering graphics on Android devices. These flaws could allow attackers to execute unauthorized commands or cause memory corruption, potentially leading to device compromise or spyware installation.
Why Zero-Days Are a Prime Target for Hackers
Zero-days are prized by cybercriminals and state-sponsored hackers due to their stealth and potency. According to a 2023 report by the Ponemon Institute, the average cost of a data breach involving zero-day exploits exceeds $4 million, with mobile devices being prime targets due to their widespread use. The Qualcomm vulnerabilities, flagged by Google’s TAG, are suspected to be part of targeted campaigns, possibly linked to commercial spyware vendors like Variston or Cy4Gate, as noted in posts on X.
The Qualcomm Zero-Day Vulnerabilities Explained
CVE-2025-21479 and CVE-2025-21480: Incorrect Authorization Flaws
The first two vulnerabilities, CVE-2025-21479 and CVE-2025-21480, are incorrect authorization issues in the Graphics component of Qualcomm’s Adreno GPU drivers, each with a CVSS score of 8.6. These flaws allow unauthorized command execution in the GPU microcode when specific sequences of commands are issued. This can lead to memory corruption, enabling attackers to gain elevated privileges or execute malicious code. Such vulnerabilities are particularly concerning for Android devices, where GPUs handle intensive tasks like gaming and video rendering.
CVE-2025-27038: Use-After-Free Vulnerability
The third vulnerability, CVE-2025-27038, with a CVSS score of 7.5, is a use-after-free flaw in the Graphics component. This issue occurs when the Adreno GPU drivers, used in browsers like Chrome, improperly handle memory while rendering graphics. A use-after-free bug can cause memory corruption, potentially allowing attackers to install malware or take control of a device. Google’s TAG noted that this flaw, like the others, is under limited, targeted exploitation, suggesting sophisticated attackers are leveraging it.
Affected Qualcomm Chipsets
Qualcomm’s chipsets, including Snapdragon, FastConnect, and QCA series, power billions of devices, from smartphones to tablets, routers, and cars. The vulnerabilities impact dozens of these chipsets, making the scope of this issue vast. While Qualcomm has not publicly detailed the full list of affected chips, the company confirmed that patches were made available to original equipment manufacturers (OEMs) in May 2025, urging them to deploy updates promptly.
Qualcomm’s Response and Patch Deployment
Swift Action by Qualcomm
Qualcomm acted quickly after Google’s Android Security team reported the vulnerabilities in February 2025. By May, the company had developed and distributed patches to OEMs, emphasizing the urgency of deployment. In its June 2025 security bulletin, Qualcomm acknowledged the potential exploitation of these flaws, citing Google’s TAG findings. The company’s proactive communication with device manufacturers highlights its commitment to addressing critical security threats.
Challenges in Patch Distribution
Due to Android’s fragmented ecosystem, patch deployment depends on device manufacturers like Samsung, Xiaomi, and OnePlus. This process can take weeks or months, leaving some devices vulnerable even after patches are available. A 2024 study by Statista revealed that only 40% of Android devices receive security updates within three months of a patch release, underscoring the challenge of timely updates in the Android ecosystem.
The Role of Google’s Threat Analysis Group
Google’s TAG and Android Security Team
Google’s Threat Analysis Group (TAG), which focuses on government-backed cyberattacks, played a pivotal role in identifying the exploitation of these zero-days. TAG’s findings suggest that the vulnerabilities may be linked to sophisticated actors, potentially including commercial spyware vendors. The Android Security team, responsible for reporting the flaws to Qualcomm, continues to bolster the security of the Android platform, which powers over 2.5 billion devices worldwide.
Historical Context: Qualcomm’s Previous Zero-Days
This isn’t the first time Qualcomm has faced zero-day vulnerabilities. In 2023, Qualcomm patched four zero-days (CVE-2023-33106, CVE-2023-33107, CVE-2022-22071, and CVE-2023-33063) in its GPU and DSP drivers, also flagged by Google’s TAG and Project Zero. These incidents highlight the recurring challenge of securing complex chip architectures against advanced threats.
Implications for Users and Manufacturers
Risks to Device Users
The exploitation of these zero-days poses significant risks, including data theft, spyware installation, or full device compromise. Smartphones, which store sensitive information like contacts, emails, and financial data, are particularly vulnerable. For instance, a successful exploit could allow attackers to access a user’s banking apps or personal communications, leading to financial or privacy losses.
Responsibilities of OEMs
Device manufacturers bear the responsibility of deploying Qualcomm’s patches to end users. Qualcomm has urged OEMs to act swiftly, but the speed of updates varies widely. High-end devices from brands like Google and Samsung typically receive faster updates, while budget or older devices may lag. Users are advised to check for software updates regularly and contact their device manufacturer for patch status.
How to Protect Your Device
Steps for Users
To mitigate risks from these vulnerabilities, users should take the following actions:
Check for Updates: Navigate to your device’s settings and check for software updates. Install any available updates immediately.
Limit App Downloads: Avoid downloading apps from unverified sources, as malware often exploits vulnerabilities like these.
Use Trusted Browsers: Since CVE-2025-27038 affects Chrome’s graphics rendering, ensure your browser is updated to the latest version.
Monitor Device Behavior: Be alert for unusual activity, such as slow performance or unexpected pop-ups, which could indicate an exploit.
Best Practices for Cybersecurity
Beyond immediate actions, adopting robust cybersecurity habits is crucial. Enable two-factor authentication (2FA) on critical accounts, use a reputable antivirus app, and avoid connecting to unsecured Wi-Fi networks. These measures can reduce the risk of exploitation, even on unpatched devices.
The Bigger Picture: Securing the Mobile Ecosystem
The Role of Chipmakers in Cybersecurity
Qualcomm’s swift response to these zero-days reflects the critical role chipmakers play in the cybersecurity landscape. As the backbone of mobile and IoT devices, chipsets like Snapdragon are prime targets for attackers. The collaboration between Qualcomm, Google, and OEMs exemplifies the need for a unified approach to securing the mobile ecosystem.
The Future of Zero-Day Mitigation
The increasing sophistication of zero-day exploits demands proactive measures. Advances in AI-driven threat detection, like those used by Google’s TAG, are helping identify vulnerabilities faster. Additionally, initiatives like Google’s Project Zero, which focuses on finding and reporting zero-days, are crucial for staying ahead of attackers. In 2024, Project Zero reported over 200 zero-days across various platforms, highlighting the scale of the challenge.
Summary
Qualcomm’s recent patches for three zero-day vulnerabilities (CVE-2025-21479, CVE-2025-21480, and CVE-2025-27038) address critical flaws in its Adreno GPU drivers, which were actively exploited in targeted attacks. Reported by Google’s Android Security team and flagged by TAG, these vulnerabilities could allow attackers to compromise devices or install spyware. Qualcomm released patches in May 2025, but the fragmented Android ecosystem means some devices may remain vulnerable. Users should update their devices promptly, limit app downloads, and adopt strong cybersecurity practices to stay protected. This incident underscores the importance of collaboration between chipmakers, security researchers, and OEMs to safeguard the billions of devices powered by Qualcomm chips.
FAQs
1. What are the Qualcomm zero-day vulnerabilities patched in June 2025?
The vulnerabilities, CVE-2025-21479, CVE-2025-21480, and CVE-2025-27038, are flaws in Qualcomm’s Adreno GPU drivers that could lead to memory corruption or unauthorized command execution.
2. Who discovered these zero-day vulnerabilities?
Google’s Android Security team reported the vulnerabilities to Qualcomm in February 2025, with Google’s Threat Analysis Group (TAG) identifying signs of limited, targeted exploitation.
3. What devices are affected by these vulnerabilities?
Devices using Qualcomm chipsets, including Snapdragon, FastConnect, and QCA series, are impacted. This includes many Android smartphones, tablets, and IoT devices.
4. How can I protect my device from these vulnerabilities?
Check for software updates in your device’s settings, install them promptly, avoid unverified apps, and keep your browser updated.
5. What is a zero-day vulnerability?
A zero-day vulnerability is a security flaw unknown to the vendor at the time of discovery, making it exploitable by hackers before a patch is available.
6. Are these vulnerabilities being actively exploited?
Yes, Google’s TAG reported that the vulnerabilities are under limited, targeted exploitation, possibly by commercial spyware vendors.
7. When were the patches for these vulnerabilities released?
Qualcomm released patches to OEMs in May 2025, with the security bulletin published in June 2025.
8. Why do some devices remain vulnerable after patches are released?
Android’s fragmented ecosystem means OEMs must deploy patches, which can take weeks or months, depending on the manufacturer.
9. Can these vulnerabilities affect non-Android devices?
While primarily affecting Android devices, Qualcomm chipsets in IoT devices, routers, and cars could also be vulnerable, depending on the chipset.
10. What should I do if my device manufacturer hasn’t released a patch?
Contact your device manufacturer for patch status, enable 2FA, use trusted apps, and monitor your device for unusual behavior.
