Android Under Fire: 0-day Vulnerability in Qualcomm GPU Drivers Already Used in Attacks – Millions of Devices Vulnerable Right Now
Qualcomm patches security holes—while exploits are already underway within Chrome.
Qualcomm has released security updates to address three critical zero-day vulnerabilities in the Adreno GPU drivers, which are used in many Android devices. All three vulnerabilities are already actively exploited in targeted attacks, according to the Google Threat Analysis Group. The fixes were provided to device manufacturers in May, with a strong recommendation for immediate implementation.
Two of the identified vulnerabilities, CVE-2025-21479 and CVE-2025-21480, are errors in the graphics framework's authorization system. They allow unauthorized commands to be executed in the GPU micro-node, leading to memory corruption. These vulnerabilities can be triggered by a specially crafted sequence of commands passed to the driver. Both issues were first discovered in January by Google's Android security team.
The third vulnerability, CVE-2025-27038, is a use-after-free flaw discovered in March. It leads to memory corruption when processing graphics with the Adreno driver in the Chrome browser. The vulnerability can be exploited to bypass browser isolation and execute arbitrary code on the system. Notably, all three vulnerabilities are already being used in real-world attacks, confirmed by Google TAG.
Qualcomm emphasized that the fixes have already been provided to OEM manufacturers and should be implemented on devices as soon as possible. However, in the Android ecosystem, the delivery timelines for updates to users may be delayed due to long supply chains and the need for certification processes.
In October 2024, Qualcomm faced another major security incident: the vulnerability CVE-2024-43047 was exploited to hack the smartphones of activists and journalists in Serbia. The local Security Agency (BIA) and police, using Cellebrite tools, were able to access device content, bypassing the screen lock. This vulnerability also allowed them to bypass Android's built-in protection mechanisms and gain control at the system level.
As part of the investigation, Google TAG discovered that in some cases, the attacks involved the installation of the NoviSpy spyware. This malware would implant itself at the operating system kernel level using a sophisticated exploit chain, ensuring its stealthiness and persistence. The infection allowed attackers to remotely control devices and stealthily collect information.
These incidents were part of ongoing campaigns: in 2023, Qualcomm reported active exploitation of three other zero-day vulnerabilities in the GPU and Compute DSP drivers. These were exploited by hackers before fixes were released, highlighting sustained interest in Qualcomm’s chipset architecture by hacker groups.
In recent years, the company has regularly patched dangerous vulnerabilities that allowed unauthorized access to text messages, call history, multimedia data, and even real-time eavesdropping on conversations. Driver-level attacks are particularly dangerous as they can bypass standard Android security mechanisms and penetrate deep into system components.
Amidst the increasing number of targeted attacks, Qualcomm is once again stressing the importance of timely security updates. However, the protection of users largely depends on how quickly device manufacturers and carriers distribute these fixes to the mass market.
