On Monday, chipmaker Qualcomm released patches that fix a number of vulnerabilities in dozens of chips, including three zero-day flaws that the company says could be exploited in hacking campaigns.
Qualcomm cites Google’s Threat Analysis Group (TAG), which investigates government-backed cyberattacks, and says the three flaws “could be exploited in a limited, targeted manner.”
According to the company’s bulletin, Google’s Android security team notified Qualcomm of three zero days (CVE-2025-21479, CVE-2025-21480, and CVE-2025-27038) in February. Zero Days are security vulnerabilities that are not known to software or hardware manufacturers at the time of discovery, making them extremely valuable to cybercriminals and government hackers.
Due to the open source and distributed nature of Android, device manufacturers must now apply patches provided by Qualcomm, which means that some devices may remain vulnerable for several more weeks despite the fact that patches have already been released.
In a bulletin, Qualcomm said that the patches “were provided to [device manufacturers] in May along with a strong recommendation to install the update on affected devices as soon as possible.”
Google spokesperson Ed Fernandez told TechCrunch that the company’s Pixel devices are not affected by these Qualcomm vulnerabilities.
Kimberly Samra, a spokesperson for Google’s TAG, did not immediately provide more information about the vulnerabilities and the circumstances under which TAG found them.
Qualcomm has acknowledged the fix. “We encourage end users to apply security updates as they become available from device manufacturers,” said company spokesman Dave Schefcik.
Chipsets installed in mobile devices are a frequent target for hackers and zero-day exploit developers because the chips typically have wide access to the rest of the operating system, meaning that hackers can move from them to other parts of the device that may contain sensitive data.
Over the past few months, cases of exploits against Qualcomm chipsets have been documented. Last year, Amnesty International discovered a Qualcomm zero-day that was used by Serbian authorities, allegedly with the Cellebrite phone unlocking app.
