Google’s August update addresses two Qualcomm vulnerabilities that have been actively exploited.

Google has released critical security updates to address multiple vulnerabilities in Android, including two Qualcomm bugs identified as actively exploited. The vulnerabilities, CVE-2025-21479 (CVSS score: 8.6) and CVE-2025-27038 (CVSS score: 7.5), were disclosed by Qualcomm in June 2025, alongside CVE-2025-21480 (CVSS score: 8.6). CVE-2025-21479 pertains to an incorrect authorisation vulnerability in the Graphics component, potentially leading to memory corruption through unauthorised command execution in GPU microcode. In contrast, CVE-2025-27038 is a use-after-free vulnerability in the Graphics component that could cause memory corruption while rendering graphics with Adreno GPU drivers in Chrome. Although details on real-world exploitation remain scarce, Qualcomm indicated that these vulnerabilities may be under limited, targeted exploitation, raising concerns given the history of similar flaws being exploited by commercial spyware vendors.

In addition to addressing the Qualcomm vulnerabilities, Google’s August 2025 patch resolves two high-severity privilege escalation flaws in the Android Framework (CVE-2025-22441 and CVE-2025-48533) and a critical bug in the System component (CVE-2025-48530) that could enable remote code execution without requiring additional privileges or user interaction. The tech giant has provided two patch levels, 2025-08-01 and 2025-08-05, with the latter also including fixes for closed-source and third-party components from Arm and Qualcomm. Android device users are strongly advised to apply these updates promptly to safeguard against potential threats. The vulnerabilities have been added to the U.S. Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities (KEV) catalog, mandating federal agencies to implement the updates by June 24, 2025.