Google Patches Two Actively Exploited Qualcomm Flaws in Android Update

Google has issued its August 2025 security bulletin for Android, patching six vulnerabilities, including two Qualcomm graphics-component flaws—CVE-2025-21479 (CVSS 8.6) and CVE-2025-27038 (CVSS 7.5)—that are confirmed to be under active exploitation. Both bugs can trigger memory corruption in devices using Adreno GPUs, potentially allowing attackers to seize control of a handset without user interaction. Google’s Threat Analysis Group reported limited, targeted exploitation, and researchers suspect the techniques mirror those previously adopted by commercial spyware vendors Variston and Cy4Gate. The two vulnerabilities were added to the U.S. Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities catalog on 3 June, compelling federal agencies to apply fixes by 24 June. Google has released two patch levels, 2025-08-01 and 2025-08-05, the latter bundling additional updates for closed-source components from Arm and Qualcomm. The bulletin also addresses a critical remote-code-execution flaw in the Android System component (CVE-2025-48530) and two high-severity privilege-escalation weaknesses in the Framework (CVE-2025-22441 and CVE-2025-48533). Pixel devices are receiving the update immediately, while other manufacturers are expected to distribute it once compatibility testing is complete.