Google Fixes Qualcomm GPU Exploits in August Android Update (CVE-2025-21479 & CVE-2025-27038)
Two Qualcomm GPU vulnerabilities have been patched in Android’s August 2025 update—bugs actively used in targeted attacks. Google users should update immediately to Patch Level 2025-08-05 or later. Discover what’s affected and how to stay safe.
What's Going On
In its August 2025 security rollout, Google patched two critical Qualcomm GPU vulnerabilities listed as CVE-2025-21479 and CVE-2025-27038, both of which were confirmed to be actively exploited in the wild.
- CVE-2025-21479: An incorrect authorization flaw in the graphics framework allowing unauthorized commands within the GPU micronode, causing memory corruption (CVSS 8.6).
- CVE-2025-27038: A use-after-free vulnerability in the Adreno GPU driver, leading to memory corruption during chrome-based rendering (CVSS 7.5)
Google integrated patches supplied by Qualcomm in June after the Threat Analysis Group signaled targeted exploitation. CISA has added both to its Known Exploited Vulnerabilities (KEV) catalog, requiring urgent mitigation by June 24, 2025.
Patch and Rollout Details
- Two patch levels released: 2025-08-01 and 2025-08-05.
- 08-05 includes Qualcomm and Arm component fixes.
- Pixel devices received updates immediately; other vendors will roll them out progressively.
ThreatGrid Takeaways
| Priority | Action |
|---|---|
| High | Update immediately to patch levels 2025-08-05 or newer—especially on Pixel devices. |
| Medium | Ensure all Android fleets (corporate or device management rolls) are patched. |
| High | Monitor for anomalies around graphics rendering and GPU-intensive operations. |
| Low | Coordinate with OEMs to confirm patch deployment timelines and coverage. |
