Google’s Android Security team, notably the Threat Analysis Group (TAG), has recently disclosed multiple critical zero-day vulnerabilities affecting Qualcomm’s Adreno GPU drivers — components embedded in the graphics subsystem of billions of Android devices worldwide. These vulnerabilities have been actively exploited in the wild, representing a severe security risk to end users.

Technical Overview

The flaws, identified as CVE-2025-21479, CVE-2025-21480, and CVE-2025-27038, are primarily rooted in memory corruption issues and improper authorization checks within the GPU’s driver code. Due to the Adreno GPU’s privileged position in the Android kernel space, these bugs enable attackers to escalate privileges from user space to kernel space by crafting malicious GPU command streams or malformed graphics data. • CVE-2025-21479 & CVE-2025-21480: These vulnerabilities relate to incorrect authorization mechanisms in the command execution path of the Adreno GPU driver. An attacker controlling a malicious app or injected code can bypass standard access controls, leading to unauthorized command execution within the GPU microkernel, which can corrupt memory or trigger out-of-bounds writes. • CVE-2025-27038: This is a use-after-free vulnerability that occurs during the rendering pipeline. When exploited, it can cause arbitrary code execution by manipulating freed memory buffers, enabling attackers to run arbitrary code with kernel-level privileges.

Impact and Exploitation

The Qualcomm Adreno GPU driver is widely deployed across Snapdragon chipsets powering numerous flagship and mid-range devices from manufacturers such as Samsung, OnePlus, Xiaomi, and more. Because these GPUs interact closely with the Android kernel, exploitation of these vulnerabilities enables: • Remote Code Execution (RCE): Attackers can execute arbitrary code on the device remotely without requiring user interaction in some scenarios. • Privilege Escalation: Gaining kernel privileges, thereby bypassing Android’s security sandboxing and app permission models. • Persistent Malware Installation: Ability to install rootkits or persistent malware modules that survive device reboots. • Data Exfiltration and Surveillance: Unauthorized access to sensitive user data, including credentials, messages, and media files.

Google TAG’s reports confirmed active exploitation of these zero-day flaws, underlining the urgency for device manufacturers and users to apply patches.

Mitigation and Recommendations

Qualcomm promptly released patches addressing these vulnerabilities, which have been forwarded to OEMs for integration into Android firmware updates. Due to the fragmentation of the Android ecosystem, rollout times vary widely, leaving many devices exposed.

Security experts recommend: • Immediate Updates: Users should regularly check for and install firmware updates from their device manufacturers. • App Vetting: Avoid downloading apps outside trusted sources like Google Play to minimize risk exposure. • Behavioral Monitoring: Users and enterprises should monitor devices for abnormal CPU/GPU usage, crashes, or suspicious network activity. • Enterprise Controls: Organizations should enforce mobile device management (MDM) policies to ensure timely patch deployment.

Broader Context

These vulnerabilities highlight the challenges inherent in securing low-level hardware drivers like GPUs, which often operate with high privileges and complex codebases. They remain attractive targets for advanced threat actors due to the potential for complete system compromise.

The incident reinforces the critical need for collaboration between chipset vendors, OS developers, and manufacturers to ensure rapid vulnerability identification and patch deployment, safeguarding the vast Android user base.