- Qualcomm has approached three zero days abused since January 2025
- Pathers must now be applied by Oems
- There are no details about bank abuse, but users must still be on guard
Qualcomm has finally paved three vulnerabilities of Zero GPU of Adreno that were being abused in nature.
According to the Android Security Bulletin of June 2025, the chips manufacturer has now set CVE-2025-21479, CVE-2025-21480 and CVE-2025-27038.
The first two are incorrect authorization failures in the graphic component. They were given a gravity score of 8.6/10 (high), and could activate the corruption of memory. They were first observed in January 2025. The third error is a vulnerability of use free of use in the graphic component that also leads to the corruption of memory. This received a lower gravity score: 7.5/10.
INTACT PAYMENT INFORMATION
“There are indications of Google Threat Analysis Group that CVE-2025-21479, CVE-2025-21480, CVE-2025-27038 may be low limited and specific exploitation,” said Qualcomm.
“The patches for the problems that affect the controller of the Adreno Graphics Processing Unit (GPU) have been made available to the OEM in May, together with a solid recommendation to implement the update in the affected devices as soon as possible.”
Now, it depends on different device manufacturers, such as Samsung, Google Oneplus or Xiaomi, to apply these patches in their products.
The affected devices cover a wide range of Qualcomm chips sets, including flagship models such as the Snapdragon 8 Gen 2 and Gen 3, as well as the average range and budget platforms, such as Snapdragon 695, 778g and 4 GEN 1/2.
There are currently no details about who abused these defects, against whom, and for what purpose, however, similar vulnerabilities used in the past in Spyware campaigns such as Variston and Cy4Gate were observed.
The Serbio Secret Service Agency, BIA, used a separate Qualcomm error (CVE-2024-43047) to unlock Android devices seized by journalists, activists and protesters, the same source states.
Through The hacker news
