Qualcomm has sent out security updates to address three zero-day vulnerabilities that it said were exploited in a limited-target attack in the wild.
The defects in the issues that were responsibly disclosed to the company by the Google Android Security Team are listed below –
CVE-2025-21479 and CVE-2025-21480 (CVSS score: 8.6) – Two false approval vulnerabilities in the graphics component. Graphic components that can cause memory corruption while rendering graphics using Chrome’s Adreno GPU driver
“From the Google Threat Analysis Group, CVE-2025-21479, CVE-2025-21480 and CVE-2025-27038 may be limited, and target exploitation may be limited,” Qualcomm said in its recommendation.
“The patch for issues affecting Adreno Graphics Processing Unit (GPU) drivers was made available to OEMS in May.
Currently there is no details about how the vulnerability is being exploited, in what context, and who is being exploited. That being said, similar flaws in the Qualcomm chipsets (CVE-2023-33063, CVE-2023-33106, and CVE-2023-33107) have been weaponized in the past by commercial spyware providers such as Bariston and Cy4Gate.
Last December, Amnesty International removed and deleted Androidspyware by another Qualcomm security flaw (CVE-2024-43047) which was exploited by Serbian Security Intelligence Agency (BIA) and Serbian police, using Celebrite data extraction software to unlock Android devices belonging to activists, journalists and protesters.
Source link
