U.S. chip manufacturer Qualcomm has released a significant number of security patches for vulnerabilities within its chips and open-source software. This move is crucial as many Android smartphones worldwide utilize Qualcomm chips, making them a prime target for potential cyberattacks. However, the timely delivery of these patches to end users remains a critical factor.
In its June 2025 security report, Qualcomm detailed a total of 18 patches addressing various vulnerabilities. Among these, three are particularly concerning as they are believed to have been actively exploited in targeted hacker attacks. These specific vulnerabilities are classified as zero-day exploits, which means attackers were leveraging these flaws before developers had a patch available.
According to Google’s Threat Analysis Group (TAG), these three zero-day vulnerabilities all impact the Adreno graphics processors (GPU) found within Qualcomm chips. These GPUs are integrated into a wide range of globally used smartphones from manufacturers such as Samsung, Xiaomi, and OnePlus.
Two of the vulnerabilities affecting the Adreno GPU micronode stem from incorrect authorization, which can lead to memory corruption. These are considered highly dangerous, reflected by their CVSS score of 8.6. The third vulnerability is described as a “use after free” error in the GPU memory. This type of error occurs when the memory is not properly cleared after it’s no longer needed, potentially causing crashes or, in the reported instance, memory corruption when rendering graphics using Adreno GPU drivers within the Chrome browser.
Qualcomm proactively provided patches for these three critical zero-day vulnerabilities to all affected manufacturers as early as May. Despite this, there can be a delay before smartphone manufacturers integrate these patches into their own device software updates and subsequently release them to users. Qualcomm’s report explicitly urges manufacturers to “update affected devices as quickly as possible.” Users are advised to reach out to their smartphone manufacturers to inquire about the patch status of their specific devices.
While device manufacturers manage their Android-based operating systems, they typically do not have direct control over the firmware of the installed chips. They are reliant on chip manufacturers like Qualcomm to first provide the necessary security patches. Only after receiving these patches can smartphone manufacturers develop and deliver the corresponding updates to their devices. This dependence on chip makers for initial patches can create a window of vulnerability, making Android smartphones an attractive target for hackers. A notable example occurred in 2021 when a security flaw in a Qualcomm modem impacted hundreds of millions of devices, and it took several weeks to months for the necessary update to be rolled out to the majority of affected smartphones.
