Qualcomm's Actively Exploited Vulnerabilities
Qualcomm's security bulletin reveals particularly concerning findings, with three critical vulnerabilities— CVE-2025-21479, CVE-2025-21480, and CVE-2025-27038—already under "limited, targeted exploitation" according to Google's Threat Analysis Group. These vulnerabilities affect the company's widely used Adreno Graphics Processing Unit drivers.
The two most severe issues, CVE-2025-21479 and CVE-2025-21480, both carry critical security ratings with CVSS scores of 8.6. These vulnerabilities stem from "memory corruption due to unauthorised command execution in GPU micronode while executing a specific sequence of commands," essentially allowing attackers to bypass authorisation controls and execute malicious code.
The scope of affected devices is staggering, encompassing popular Snapdragon processors from the 4 Gen series through the flagship 8 Gen 3 platforms, including the Snapdragon 855, 865, 888 series, and numerous FastConnect wireless chips. This affects devices from major manufacturers across the Android and Windows platforms.
ARM's Multi-Vector GPU Threats
ARM's bulletin addresses three distinct vulnerabilities in their Mali GPU drivers: CVE-2025-0073, CVE-2025-0819, and CVE-2025-1246. These affect both kernel and userspace drivers across ARM's Bifrost, Valhall, and 5th Generation GPU architectures.
Particularly noteworthy is CVE-2025-1246, which can be exploited through web browsers via WebGL or WebGPU interfaces, potentially allowing remote attacks through malicious websites. The vulnerability enables "access outside of buffer bounds," which could lead to information disclosure or code execution.
Industry Response and Recommendations
Qualcomm has already distributed patches to Original Equipment Manufacturers (OEMs) with "strong recommendation to deploy the update on affected devices as soon as possible." The company emphasises that users should "contact your device manufacturer for more information on the patch status about specific devices."
ARM similarly recommends immediate upgrades to the latest driver versions, with fixes already incorporated into updated kernel and userspace drivers.
These coordinated disclosures highlight the critical importance of GPU security in modern computing, where graphics processors handle increasingly sensitive operations beyond traditional rendering tasks.