Critical 0-Day Vulnerabilities in Qualcomm Adreno GPU Drivers Actively Exploited
Summary
| OEM | Qualcomm |
| Severity | HIGH |
| CVSS Score | 8.6 |
| CVEs | CVE-2025-21479, CVE-2025-21480, CVE-2025-27038 |
| Actively Exploited | Yes |
| Exploited in Wild | Yes |
| Advisory Version | 1.0 |
Overview
Three actively exploited zero-day vulnerabilities in Qualcomm’s Adreno GPU drivers (CVE-2025-21479, CVE-2025-21480, CVE-2025-27038) have been disclosed and patched.
These flaws impact billions of Android devices across vendors such as Samsung, Google, Xiaomi, and OnePlus. Qualcomm released patches to OEMs in May 2025, urging immediate integration to mitigate severe memory corruption and code execution threats.
| Vulnerability Name | CVE ID | Product Affected | CVSS Score | Severity |
| Incorrect Authorization Vulnerability | CVE-2025-21479 | Qualcomm Adreno GPU Driver | 8.6 | High |
| Incorrect Authorization Vulnerability | CVE-2025-21480 | Qualcomm Adreno GPU Driver | 8.6 | High |
| Use-After-Free Vulnerability | CVE-2025-27038 | Qualcomm Adreno GPU Driver | 7.5 | High |
Technical Summary
These vulnerabilities reside within Qualcomm’s Adreno GPU driver, specifically in the Graphics component. The flaws allow attackers to corrupt memory, escalate privileges or execute arbitrary code. Two issues (CVE-2025-21479, CVE-2025-21480) result from incorrect authorization mechanisms in GPU microcode and the third (CVE-2025-27038) is a use-after-free flaw that can be exploited via malicious content rendered through Chrome.
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2025-21479 | Android (Adreno GPU) | Unauthorized command execution during specific GPU microcode sequences causes memory corruption. | Privilege escalation, system compromise. |
| CVE-2025-21480 | Android (Adreno GPU) | Similar unauthorized GPU command flaw allowing memory corruption via improper authorization checks. | Memory corruption, remote code execution. |
| CVE-2025-27038 | Android (Chrome/Adreno) | Use-after-free condition in graphics rendering pipeline (via Chrome) allows attacker control over freed memory space. | Arbitrary code execution. |
Recommendations:
- Apply OEM Patches Immediately: Qualcomm released fixes in May 2025 to all OEMs; users should install the latest firmware updates from their device manufacturers.
- Check for Updates: Go to Settings → System → Software Update and apply the latest security patches as soon as available.
- Apply Security Updates: Users should ensure their Android devices receive the latest security updates.
- Monitor Manufacturer Communications: Stay informed about patch availability specific to your device model via official OEM channels.
Conclusion:
These zero-day vulnerabilities in Qualcomm’s Adreno GPU drivers highlight ongoing security risks in mobile hardware components.
Exploited in limited, targeted attacks potentially by spyware vendors or state-sponsored actors these flaws pose significant threats to Android devices worldwide.
In response to confirmed exploitation, CISA has added all three CVEs (CVE-2025-21479, CVE-2025-21480, CVE-2025-27038) to its Known Exploited Vulnerabilities (KEV) catalog, mandating swift action for federal systems.
Timely patching by OEMs and proactive updates by users are critical to mitigating these risks and preventing further exploitation.
References: