Google recently issued major security patches to address several Linux Kernel vulnerabilities in its Android OS. This update only applies to two major vulnerabilities related to Qualcomm components. These vulnerabilities have been aggressively exploited both in the wild and in theatrical environments. In the context of the current cyber threat landscape and industry’s clear need for stronger security, these updates lighten the burden on already overwhelmed organizations.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) have officially cataloged the vulnerabilities. During this past year, you could mostly find them in the Known Exploited Vulnerabilities (KEV) catalog. This categorization mandates that federal agencies must implement the necessary updates by June 24, 2025, ensuring their systems remain secure against potential attacks.
Details of the Vulnerabilities
Among the major vulnerabilities fixed is CVE-2025-27038, a use-after-free flaw found in the Graphics part of Android. This vulnerability would allow memory corruption when rendering graphics through Adreno GPU drivers in Google Chrome. An exploit like this one would undermine the integrity of the devices and user data, making it all the more critical that you apply the patch immediately.
In total, Google has introduced two patch levels for August 2025: 2025-08-01 and 2025-08-05. It’s the latter that closes out Qualcomm’s longstanding antitrust issues. It represents the fixes for closed-source and third-party components like those from Arm. This comprehensive approach signifies Google’s commitment to improving device security across various platforms and manufacturers.
Implications for Federal Agencies
Their recent addition to CISA’s KEV catalog highlights the critical need for timely updates across all federal agencies and entities this federal directive applies to. The agency’s directive places the onus on all federal agencies to use the updates to better protect their systems before they can be exploited. By June 24, 2025, these agencies should be required to have their patches in place, setting an aggressive tone in favor of cybersecurity.
We appreciate that Qualcomm has understood the gravity of these matters. They note that there are signs of restricted and focused actual use for CVE-2025-21479, CVE-2025-21480, and CVE-2025-27038. This proclamation underscores the need for immediate action. We still need to make swift, actionable steps to avoid harming consumers and innovation in spaces that depend on Qualcomm technology.
“There are indications from Google Threat Analysis Group that CVE-2025-21479, CVE-2025-21480, CVE-2025-27038 may be under limited, targeted exploitation.” – Qualcomm