TechCrunch reports that Qualcomm has fixed a trio of zero-day vulnerabilities leveraged in ongoing attacks, as part of updates that also remediated other security issues across dozens of its chipsets.
Such patches come months after Qualcomm was informed by Google's Threat Analysis Group regarding the utilization of the flaws, tracked as CVE-2025-21479, CVE-2025-21480, and CVE-2025-27038, in "limited, targeted" intrusions. Fixes "have been made available to [device makers] in May together with a strong recommendation to deploy the update on affected devices as soon as possible," said Qualcomm in a bulletin. Additional details regarding the flaws were not provided by Google TAG but Google spokesperson Ed Fernandez noted that the firm's Pixel devices were not impacted by the said issues. Vulnerabilities in Qualcomm chipsets have been targeted by malicious actors in recent months, with a zero-day discovered by Amnesty International to have been leveraged in Serbian attacks involving the Cellebrite spyware.
Such patches come months after Qualcomm was informed by Google's Threat Analysis Group regarding the utilization of the flaws, tracked as CVE-2025-21479, CVE-2025-21480, and CVE-2025-27038, in "limited, targeted" intrusions. Fixes "have been made available to [device makers] in May together with a strong recommendation to deploy the update on affected devices as soon as possible," said Qualcomm in a bulletin. Additional details regarding the flaws were not provided by Google TAG but Google spokesperson Ed Fernandez noted that the firm's Pixel devices were not impacted by the said issues. Vulnerabilities in Qualcomm chipsets have been targeted by malicious actors in recent months, with a zero-day discovered by Amnesty International to have been leveraged in Serbian attacks involving the Cellebrite spyware.
