U.S. CISA adds Multiple Qualcomm chipsets flaws to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Multiple Qualcomm chipsets flaws to its Known Exploited Vulnerabilities catalog.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added multiple Qualcomm chipsets flaws to its Known Exploited Vulnerabilities (KEV) catalog.

  • CVE-2025-21479 Qualcomm Multiple Chipsets Incorrect Authorization Vulnerability
  • CVE-2025-21480 Qualcomm Multiple Chipsets Incorrect Authorization Vulnerability
  • CVE-2025-27038 Qualcomm Multiple Chipsets Use-After-Free Vulnerability

This week, Qualcomm addressed the above zero-day vulnerabilities that, according to the company, have been exploited in limited, targeted attacks in the wild.

Google Android Security team reported the three issues to the company.

“There are indications from Google Threat Analysis Group that CVE-2025-21479, CVE-2025-21480, CVE-2025-27038 may be under limited, targeted exploitation.” reads the report published by the vendor. “Patches for the issues affecting the Adreno Graphics Processing Unit (GPU) driver have been made available to OEMs in May together with a strong recommendation to deploy the update on affected devices as soon as possible.”

Below are the descriptions of these vulnerabilities:

  • CVE-2025-21479 (CVSS score: 8.6) – The flaw is an Incorrect Authorization issue in the Graphics component. “Memory corruption due to unauthorized command execution in GPU micronode while executing specific sequence of commands.” reads the advisory.
  • CVE-2025-21480 (CVSS score: 8.6) – The flaw is an Incorrect Authorization issue in Graphics Windows. “Memory corruption due to unauthorized command execution in GPU micronode while executing specific sequence of commands.” reads the advisory.
  • CVE-2025-27038 (CVSS score: 7.5) – The flaw is a use-after-free issue in the Graphics component. “Memory corruption while rendering graphics using Adreno GPU drivers in Chrome.” states the advisory.

The company did not share details about the attacks exploiting the three vulnerabilities.

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts also recommend private organizations review the Catalog and address the vulnerabilities in their infrastructure.

CISA orders federal agencies to fix the vulnerabilities by June 24, 2025.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, CISA)