Article illustration 1

Google has urgently patched two actively exploited Qualcomm GPU vulnerabilities in its August Android security update, alongside a critical system flaw allowing remote code execution—revealing escalating threats targeting mobile hardware supply chains.

The vulnerabilities (CVE-2025-21479 and CVE-2025-27038) reside in Qualcomm's Adreno GPU drivers and Android's Graphics framework. CVE-2025-21479 enables unauthorized command execution in the GPU micronode, triggering memory corruption. Its counterpart, CVE-2025-27038, is a use-after-free flaw during graphics rendering that similarly corrupts memory. Both can be weaponized with other exploits for stealthy device compromise, requiring no user interaction.

"There are indications from Google Threat Analysis Group that CVE-2025-21479, CVE-2025-27038 may be under limited, targeted exploitation," Qualcomm warned in June, advising OEMs to deploy patches "as soon as possible."

Evidence suggests sophisticated actors have leveraged these flaws since at least January 2025. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added them to its Known Exploited Vulnerabilities catalog in June, mandating federal agencies to mitigate risks within weeks.

The Silent Threat Landscape

Beyond the Qualcomm flaws, Google patched a critical system vulnerability (undisclosed) allowing unprivileged attackers to achieve remote code execution when chained with other exploits. This trifecta of threats underscores how mobile attacks increasingly target low-level components:

  • Hardware-level compromise: GPU drivers offer deep system access, bypassing higher-level defenses
  • Exploit chaining: Combining these flaws creates potent attack vectors
  • Supply chain risks: Third-party components like Qualcomm's Adreno GPU permeate Android's ecosystem

Google released patches in two waves:
1. The August 1 patch addressing framework/system components
2. The August 5 patch adding third-party/kernel fixes

Yet fragmentation remains a barrier—Pixel devices receive immediate updates, while other vendors face delays adapting patches to proprietary hardware.

Persistent Zero-Day Realities

This incident continues a troubling pattern. In March, Google patched Android zero-days exploited by Serbian authorities to unlock devices. Last November, it addressed CVE-2024-43047—another zero-day used in NoviSpy spyware attacks. State-sponsored and criminal groups increasingly weaponize undisclosed mobile vulnerabilities, with hardware components becoming prime targets.

For developers and security teams, the implications are stark:
- Prioritize GPU/driver updates in patch management workflows
- Assume exploit chaining in threat modeling—especially for critical systems
- Pressure OEMs to accelerate security updates for non-Pixel devices

As hardware-level vulnerabilities proliferate, the industry must confront supply chain security as fiercely as software flaws. Delayed patches in critical components create systemic risks affecting billions of devices—a reality demanding architectural reconsiderations beyond monthly security bulletins.

Source: BleepingComputer