CVE-2025-21480
Incorrect Authorization in Graphics Windows
Basic Information
- CVE State
- PUBLISHED
- Reserved Date
- December 18, 2024
- Published Date
- June 03, 2025
- Last Updated
- June 06, 2025
- Vendor
- Qualcomm, Inc.
- Product
- Snapdragon
- Description
- Memory corruption due to unauthorized command execution in GPU micronode while executing specific sequence of commands.
- Tags
- Score
- 3.40% (Percentile: 86.84%) as of 2025-06-14
- Exploitation
- active
- Technical Impact
- total
- Exploited in the Wild
- Yes (2025-06-03 06:45:33 UTC) Source
cisa
windows
CVSS Scores
CVSS v3.1
8.6 - HIGH
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
EPSS Score
SSVC Information
Exploit Status
References
Known Exploited Vulnerability Information
| Source | Added Date |
|---|---|
| CyberInsider | 2025-06-03 06:45:26 UTC |
Recent Mentions
CISA Adds Three Known Exploited Vulnerabilities to Catalog
Source: All CISA Advisories • Published: 2025-06-03 12:00:00 UTC
CISA has added three new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
CVE-2025-21479 Qualcomm Multiple Chipsets Incorrect Authorization Vulnerability
CVE-2025-21480 Qualcomm Multiple Chipsets Incorrect Authorization Vulnerability
CVE-2025-27038 Qualcomm Multiple Chipsets Use-After-Free Vulnerability
These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.
Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the KEV Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.
Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of KEV Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.
Android Fixes Actively Exploited Zero-Days in Qualcomm Components
Source: CyberInsider • Published: 2025-06-02 19:39:50 UTC
Google has released its June 2025 Android Security Bulletin, patching multiple high-severity vulnerabilities, including three critical Qualcomm zero-days that were confirmed to be under active, targeted exploitation. According to Qualcomm’s security bulletin, the actively exploited vulnerabilities, CVE-2025-21479, CVE-2025-21480, and CVE-2025-27038, affect Adreno GPU drivers. These flaws allow unauthorized command execution or memory corruption through specific …
The post Android Fixes Actively Exploited Zero-Days in Qualcomm Components appeared first on CyberInsider.
Qualcomm Fixes 3 Zero-Days Used in Targeted Android Attacks via Adreno GPU
Source: TheHackerNews • Published: 2025-06-02 14:22:00 UTC
Qualcomm has shipped security updates to address three zero-day vulnerabilities that it said have been exploited in limited, targeted attacks in the wild.
The flaws in question, which were responsibly disclosed to the company by the Google Android Security team, are listed below -
CVE-2025-21479 and CVE-2025-21480 (CVSS score: 8.6) - Two incorrect authorization vulnerabilities in the Graphics
Timeline
-
CVE ID Reserved
-
CVE Published to Public
-
Added to KEVIntel