Phone chipmaker Qualcomm fixes three zero-days exploited by hackers

Chipmaker large Qualcomm released patches on Monday fixing a sequence of vulnerabilities in dozens of chips, together with three zero-days that the corporate stated could also be in use as a part of hacking campaigns. 

Qualcomm cited Google’s Menace Evaluation Group, or TAG, which investigates government-backed cyberattacks, saying the three flaws “could also be underneath restricted, focused exploitation.” 

Based on the corporate’s bulletin, Google’s Android safety crew reported the three zero-days (CVE-2025-21479, CVE-2025-21480, and CVE-2025-27038) to Qualcomm in February. Zero-days are safety vulnerabilities that aren’t recognized to the software program or {hardware} maker on the time of their discovery, making them extremely valuable for cybercriminals and authorities hackers. 

Due to Android’s open supply and distributed nature, it’s now as much as machine producers to use the patches supplied by Qualcomm, which suggests some units should still be susceptible for a number of extra weeks, even supposing there are patches out there. 

Qualcomm stated within the bulletin that the patches “have been made out there to [device makers] in Could along with a powerful suggestion to deploy the replace on affected units as quickly as doable.”

Google spokesperson Ed Fernandez instructed TechCrunch that the corporate’s Pixel units usually are not affected by these Qualcomm vulnerabilities.

Kimberly Samra, a spokesperson for Google’s TAG didn’t instantly present extra details about these vulnerabilities, and the circumstances wherein TAG discovered them. 

Qualcomm acknowledged the fixes. “We encourage finish customers to use safety updates as they grow to be out there from machine makers,” stated firm spokesperson Dave Schefcik.

Chipsets present in cellular units are frequent targets for hackers and zero-day exploit builders as a result of chips usually have broad entry to the remainder of the working system, which suggests hackers can leap from there to different elements of the machine which will maintain delicate information. 

In the previous few months, there have been documented instances of exploitation towards Qualcomm chipsets. Final yr, Amnesty International identified a Qualcomm zero-day that was being utilized by Serbian authorities, possible through the use of telephone unlocking instrument maker Cellebrite.

Up to date to incorporate Qualcomm’s spokesperson remark.