On June 3, 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) expanded its Known Exploited Vulnerabilities (KEV) Catalog to include three newly discovered and actively exploited vulnerabilities in Qualcomm Adreno GPU drivers. These security flaws affect a wide range of Android-based devices, including smartphones and tablets that utilize Qualcomm chipsets.
Overview of the Vulnerabilities
The three vulnerabilities, now added to the KEV Catalog, are classified as high-risk due to active exploitation in the wild. They reside within Qualcomm’s Adreno GPU kernel-mode drivers, which are responsible for graphics rendering on a substantial number of Android devices.
⚠️ 1. CVE-2025-21479 – Improper Authorization Vulnerability
- Impact: This vulnerability arises from incorrect permission checks in the Adreno GPU driver. A malicious app could exploit this flaw to issue GPU commands that should only be allowed to privileged processes.
- Attack Vector: Local privilege escalation. An attacker with access to the device (e.g., through malware or a malicious app) could trigger this issue to gain elevated privileges.
- Consequence: Memory corruption, potentially leading to denial of service (DoS) or arbitrary code execution with kernel-level permissions.
⚠️ 2. CVE-2025-21480 – Authorization Bypass via GPU Interface
- Nature: Very similar to CVE-2025-21479, this vulnerability involves an additional code path that fails to correctly enforce access control mechanisms within the GPU command interface.
- Exploitability: High. Exploit code can bypass critical memory safety features.
- Result: Attackers can manipulate memory buffers, leading to instability, data leakage, or full device compromise.
⚠️ 3. CVE-2025-27038 – Use-After-Free in GPU Driver
- Description: This is a memory management bug that occurs when memory that has already been freed is accessed again, leading to unpredictable behavior.
- Exploitation: This type of flaw is commonly used in advanced persistent threats (APTs) to achieve kernel-level code execution.
- Risks: Can be used for remote code execution (RCE) or to escalate privileges from a restricted user context.
🚨 Why It Matters
The Adreno GPU drivers are widely integrated across Qualcomm Snapdragon chipsets, which power a vast majority of Android devices globally. Exploiting these flaws gives attackers a direct path to the core of the Android operating system, allowing:
- Root access to the device
- Bypassing security sandboxes
- Eavesdropping on sensitive data
- Injecting persistent malware
🛠️ Qualcomm’s Response
In response to these reports, Qualcomm has issued security patches as part of its May and June 2025 security bulletins. Device manufacturers, including Samsung, Google, Xiaomi, and others, have been notified and are expected to push firmware updates to affected devices.
✅ CISA’s Directive
CISA has mandated that all Federal Civilian Executive Branch (FCEB) agencies must apply vendor-released patches for these vulnerabilities by a specific deadline, which is generally within 3 weeks of KEV inclusion. Private sector organizations are strongly encouraged to follow suit to minimize their exposure.
🔐 Recommendations for Organizations and End Users
For Enterprises and SOC Teams:
- Monitor the CISA KEV Catalog regularly.
- Apply the latest Qualcomm security patches.
- Use Mobile Device Management (MDM) tools to ensure patch compliance across Android endpoints.
- Perform vulnerability scanning focused on Qualcomm drivers on Android devices in your fleet.
For End Users:
- Check for system updates immediately and apply them.
- Avoid installing apps from untrusted sources.
- Use security solutions that monitor for unusual app behaviors, such as privilege escalation.
📚 Key Takeaway
The addition of these Qualcomm vulnerabilities to CISA’s KEV Catalog reflects an increasing focus on mobile device security as part of the broader cyber threat landscape. As mobile endpoints grow in critical importance—especially in BYOD and hybrid work environments—keeping Android firmware up to date is no longer optional, but essential.
