Mobile chipmaker Qualcomm on Monday warned that professional hackers are already exploiting three newly patched Adreno GPU bugs and the company is pressing phone makers to push available fixes without delay.
The company did not provide details on the attacks but cited “indications from Google Threat Analysis Group” that a trio of flaws (CVE-2025-21479, CVE-2025-21480 and CVE-2025-27038) “may be under limited, targeted exploitation.”
The company did not share any additional details on the in-the-wild attacks. Google has not yet publicly documented these exploits. The use of the “limited, targeted exploitation” phrase suggests the exploits may be linked to commercial spyware products.
According to Qualcomm’s June 2025 security bulletin, patches for these vulnerabilities were shipped to OEMs and phone manufacturers in May and the chipmaker is strongly urging phone manufacturers to push updates “as soon as possible.”
“Please contact your device manufacturer for more information on the patch status about specific devices,” Qualcomm said.
Two of the three flaws are rated “critical” and are described as improper authorization in the GPU micronode that allows rogue commands to corrupt memory. The critical bugs carry a CVSS security score of 8.6/10.
The third exploited vulnerability is a use-after-free in the Adreno driver that can be triggered from Chrome. This flaw is marked with a CVSS severity score of 7.5/10.
The exploited flaws headline a massive patch bundle from Qualcomm that covers multiple “high-severity” affected the data network stack, WLAN HAL denial-of-service and a Bluetooth host memory corruption issue.
Qualcomm also shipped patches for security bugs in DSP services, audio, computer-vision and camera drivers.
Related: Vulnerabilities Patched in Qualcomm, Mediatek Chipsets
Related: Qualcomm Alerted to Zero-Day Exploited in Targeted Attacks
Related: Federal Agencies Pushed to Patch Exploited Qualcomm Flaws
