San Diego, CA – June 3, 2024 – Qualcomm has urgently released a security patch in May to address three zero-day vulnerabilities affecting its Adreno Graphics Processing Units (GPUs). The vulnerabilities, which impact a wide range of chipsets, are already being exploited in the wild, according to researchers at Google’s Threat Analysis Group.
The technology media bleepingcomputer reported on June 2nd that the three vulnerabilities are tracked as CVE-2025-21479, CVE-2025-21480, and CVE-2025-27038.
CVE-2025-21479 and CVE-2025-21480, reported in January 2024, are attributed to improper authorization within the graphics framework. These flaws could allow unauthorized command execution, leading to memory corruption. CVE-2025-27038 is a use-after-free vulnerability that can trigger memory corruption during graphics rendering in Chrome when using the Adreno GPU driver.
Qualcomm issued a warning in its Monday announcement and pushed the patches to Original Equipment Manufacturers (OEMs) in May, urging them to update affected devices as soon as possible. The prompt action highlights the severity of the vulnerabilities and the potential risk to users.
The fact that these vulnerabilities are already being exploited underscores the importance of timely security updates, said a security analyst at a leading cybersecurity firm, who wished to remain anonymous. Users should ensure their devices are running the latest software versions to mitigate the risk of compromise.
In addition to the GPU driver vulnerabilities, Qualcomm also addressed a buffer out-of-bounds read vulnerability (CVE-2024-53026) in its Data Network Stack & Connectivity. This flaw could allow unauthenticated attackers to access restricted information during VoLTE/VoWiFi IMS calls by sending crafted RTCP packets.
The rapid response from Qualcomm demonstrates the company’s commitment to addressing security threats and protecting its users. However, the incident also serves as a reminder of the ongoing challenges in securing complex software and hardware systems.
The vulnerabilities highlight the increasing sophistication of cyberattacks and the need for constant vigilance in the technology industry. As devices become more interconnected, the potential attack surface expands, making it crucial for manufacturers to prioritize security and respond quickly to emerging threats.
Recommendations:
- Users should immediately check for and install the latest software updates on their devices.
- OEMs should prioritize the distribution of the Qualcomm patch to affected devices.
- Security researchers should continue to investigate and report potential vulnerabilities to help improve the overall security posture of the ecosystem.
References:
- IT之家. (2024, June 3). 高通紧急发布 5 月补丁,修复 3 个 Adreno GPU 零日漏洞. Retrieved from [Insert IT之家 article link here]
- Bleepingcomputer. (2024, June 2). Qualcomm patches three Adreno GPU zero-days exploited in attacks. Retrieved from [Insert Bleepingcomputer article link here]
- Qualcomm Security Bulletin. (May 2024). [Insert Link to Qualcomm Security Bulletin when available]
Note: Links to the original sources will be added once they are available.
Views: 1