Android gets patches for Qualcomm flaws exploited in attacks

Google has released security patches for six vulnerabilities in Android’s August 2025 security update, including two Qualcomm flaws exploited in targeted attacks.

The two security bugs, tracked as CVE-2025-21479 and CVE-2025-27038, were reported through the Google Android Security team in late January 2025.

The first is a Graphics framework incorrect authorization weakness that can lead to memory corruption due to unauthorized command execution in the GPU micronode while executing a specific sequence of commands. CVE-2025-27038, on the other hand, is a use-after-free vulnerability that causes memory corruption while rendering graphics using Adreno GPU drivers in Chrome.

Google has now integrated the patches announced by Qualcomm in June, when the wireless tech giant warned that “There are indications from Google Threat Analysis Group that CVE-2025-21479, CVE-2025-21480, CVE-2025-27038 may be under limited, targeted exploitation.”

“Patches for the issues affecting the Adreno Graphics Processing Unit (GPU) driver have been made available to OEMs in May together with a strong recommendation to deploy the update on affected devices as soon as possible,” Qualcomm said.

CISA has also added the two security bugs to its catalog of actively exploited vulnerabilities on June 3rd, ordering federal agencies to secure their devices against ongoing attacks by June 24.

With this month’s Android security updates, Google has also fixed a critical security vulnerability in the System component that attackers with no privileges can exploit to gain remote code execution when chained with other flaws in attacks that don’t require user interaction.

Google has issued two sets of security patches: the 2025-08-01 and 2025-08-05 security patch levels. The latter bundles all fixes from the first batch and patches for closed-source third-party and kernel subcomponents, which may not apply to all Android devices.

While Google Pixel devices receive security updates immediately, other vendors will often take longer to test andtweak them for their specific hardware configurations.

In March, Google also patched two zero-day vulnerabilities exploited in targeted attacks by Serbian authorities to unlock confiscated Android devices.

Last November, the company addressed a second Android zero-day (CVE-2024-43047) used by the Serbian government in NoviSpy spyware attacks, which was first tagged as exploited by Google Project Zero in October.