Chipmaker large Qualcomm launched patches on Monday fixing a collection of vulnerabilities in dozens of chips, together with three zero-days that the corporate mentioned could also be in use as a part of hacking campaigns.
Qualcomm cited Google’s Menace Evaluation Group, or TAG, which investigates government-backed cyberattacks, saying the three flaws “could also be underneath restricted, focused exploitation.”
In keeping with the corporate’s bulletin, Google’s Android safety staff reported the three zero-days (CVE-2025-21479, CVE-2025-21480, and CVE-2025-27038) to Qualcomm in February. Zero-days are safety vulnerabilities that aren’t identified to the software program or {hardware} maker on the time of their discovery, making them extraordinarily precious for cybercriminals and authorities hackers.
Due to Android’s open supply and distributed nature, it’s now as much as machine producers to use the patches offered by Qualcomm, which implies some gadgets should be susceptible for a number of extra weeks, even supposing there are patches accessible.
Contact Us
Do you will have extra details about these Qualcomm zero-days? Or different zero-day exploits or zero-day makers? From a non-work machine and community, you possibly can contact Lorenzo Franceschi-Bicchierai securely on Sign at +1 917 257 1382, or by way of Telegram and Keybase @lorenzofb, or electronic mail.
Qualcomm mentioned within the bulletin that the patches “have been made accessible to [device makers] in Could along with a powerful advice to deploy the replace on affected gadgets as quickly as potential.”
Google spokesperson Ed Fernandez instructed TechCrunch that the corporate’s Pixel gadgets are usually not affected by these Qualcomm vulnerabilities.
When reached by TechCrunch, a spokesperson for Google’s TAG didn’t instantly present extra details about these vulnerabilities, and the circumstances during which TAG discovered them.
Qualcomm didn’t reply to a request for remark.
Chipsets present in cell gadgets are frequent targets for hackers and zero-day exploit builders as a result of chips usually have broad entry to the remainder of the working system, which implies hackers can bounce from there to different components of the machine which will maintain delicate information.
In the previous couple of months, there have been documented circumstances of exploitation towards Qualcomm chipsets. Final yr, Amnesty Worldwide recognized a Qualcomm zero-day that was being utilized by Serbian authorities, doubtless by utilizing telephone unlocking instrument maker Cellebrite.
