Chipmaker Qualcomm has rolled out security patches to fix three serious zero-day vulnerabilities affecting its Adreno GPU (graphics processing unit) driver, after Google warned that hackers were actively exploiting these flaws in targeted attacks. The issues came to light after Google’s Threat Analysis Group (TAG) shared evidence that the vulnerabilities — tracked as CVE-2025-21479, CVE-2025-21480, and CVE-2025-27038 — were being used in the wild. These flaws affect dozens of chipsets and could allow attackers to gain control of a device or install spyware.
“There are indications from Google Threat Analysis Group that CVE-2025-21479, CVE-2025-21480, CVE-2025-27038 may be under limited, targeted exploitation,” Qualcomm said in a security advisory on Monday.
The first two vulnerabilities, CVE-2025-21479 and CVE-2025-21480, were reported to Qualcomm in January by Google’s Android Security team. These issues are related to incorrect authorisation in the GPU’s graphics framework, which can lead to memory corruption. The third flaw, CVE-2025-27038, was reported in March and is described as a use-after-free bug – a type of memory corruption that happens when a program continues to use memory after it has been freed.
The third vulnerability is believed to be connected to the rendering process in Chrome when using Adreno GPU drivers. Qualcomm said it provided patches for all three vulnerabilities to original equipment manufacturers (OEMs) in May. The company says that the patches for the issues affecting the Adreno Graphics Processing Unit (GPU) driver have been made available to OEMs in May together with a strong recommendation to deploy the update on affected devices as soon as possible.
While the specific devices affected were not listed, Qualcomm advised users to contact their device makers for patch information. “We encourage end users to apply security updates as they become available from device makers,” Qualcomm spokesperson Dave Schefcik said in a statement.
Google also confirmed that its Pixel line of smartphones were not affected by these vulnerabilities, a Google spokesperson told TechCrunch.