Google's recent security update addresses critical vulnerabilities in Android, particularly two Qualcomm-related issues classified as actively exploited. CVE-2025-21479 involves incorrect authorization in the Graphics component, leading to potential memory corruption via unauthorized GPU command execution. CVE-2025-27038 is a use-after-free vulnerability impacting Adreno GPU drivers. These vulnerabilities have been flagged by the U.S. CISA as requiring immediate attention from federal agencies. Additionally, the update fixes high-severity privilege escalation flaws and a critical remote code execution issue within the Android System component.
The vulnerabilities include CVE-2025-21479 (CVSS score: 8.6) and CVE-2025-27038 (CVSS score: 7.5), both of which were disclosed alongside CVE-2025-21480 (CVSS score: 8.6) by the chipmaker back in June 2025.
CVE-2025-21479 relates to an incorrect authorization vulnerability in the Graphics component that could lead to memory corruption due to unauthorized command execution in GPU microcode.
Google's August 2025 patch also resolves two high-severity privilege escalation flaws in Android Framework (CVE-2025-22441 and CVE-2025-48533) and a critical bug in the System component (CVE-2025-48530) that could result in remote code execution.
The three vulnerabilities have since been added to the U.S. Cybersecurity and Infrastructure Security Agency's (CISA) Known Exploited Vulnerabilities (KEV) catalog, requiring federal agencies to apply the updates by June 24, 2025.
Collection
[
|
...
]