Qualcomm Releases Patches for Zero-Day Vulnerabilities in Chipsets
Chipmaker giant Qualcomm recently announced the release of patches to address several vulnerabilities in dozens of chips, including three zero-day vulnerabilities that may be actively exploited by hackers. The company stated that Google’s Threat Analysis Group (TAG) alerted them to these vulnerabilities, which are believed to be targeted in limited exploitation campaigns.
The three zero-day vulnerabilities, identified as CVE-2025-21479, CVE-2025-21480, and CVE-2025-27038, were reported to Qualcomm by Google’s Android security team in February. Zero-day vulnerabilities are highly sought after by cybercriminals and government hackers as they are unknown to software or hardware manufacturers at the time of discovery.
Despite the availability of patches, the open-source nature of Android means that device manufacturers must apply the fixes provided by Qualcomm. This process may result in some devices remaining vulnerable for several weeks until the patches are implemented.
Contact Us
If you have information about these Qualcomm zero-day vulnerabilities or other exploits, you can securely contact Lorenzo Franceschi-Bicchierai on Signal at +1 917 257 1382, or via Telegram and Keybase @lorenzofb, or email.
Qualcomm stated in its bulletin that the patches were made available to device manufacturers in May with a strong recommendation to deploy them promptly. Google confirmed that its Pixel devices are not impacted by these Qualcomm vulnerabilities.
When contacted for further information, a spokesperson for Google’s TAG did not provide additional details about the vulnerabilities or the circumstances surrounding their discovery. Qualcomm did not respond to requests for comment.
Chipsets in mobile devices are common targets for hackers and exploit developers due to their broad access to the operating system. Exploiting vulnerabilities in chipsets can allow hackers to gain access to sensitive data stored on the device.
In recent months, there have been reported instances of exploitation targeting Qualcomm chipsets. Amnesty International previously identified a Qualcomm zero-day vulnerability being used by Serbian authorities, potentially through the use of phone unlocking tools like Cellebrite.
