Post

CISA Adds Qualcomm Chipset Vulnerabilities to Known Exploited Vulnerabilities Catalog

Discover the latest on CISA's addition of critical Qualcomm chipset vulnerabilities to its catalog. Learn about the flaws, their impact, and the necessary security measures.

Posted
By Vitus White
2 min read
CISA Adds Qualcomm Chipset Vulnerabilities to Known Exploited Vulnerabilities Catalog

TL;DR

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added multiple Qualcomm chipset vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog. These flaws, which include authorization issues and use-after-free vulnerabilities, have been exploited in targeted attacks. Federal agencies and private organizations are urged to address these vulnerabilities promptly to protect their networks.

U.S. CISA Adds Multiple Qualcomm Chipset Flaws to Known Exploited Vulnerabilities Catalog

Introduction

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recently added several critical vulnerabilities in Qualcomm chipsets to its Known Exploited Vulnerabilities (KEV) catalog. These vulnerabilities, which have been exploited in limited, targeted attacks, pose significant security risks. This article provides an overview of the identified flaws, their potential impact, and the necessary mitigation steps.

Identified Vulnerabilities

The following vulnerabilities have been added to the KEV catalog:

  1. CVE-2025-21479 - Qualcomm Multiple Chipsets Incorrect Authorization Vulnerability
  2. CVE-2025-21480 - Qualcomm Multiple Chipsets Incorrect Authorization Vulnerability
  3. CVE-2025-27038 - Qualcomm Multiple Chipsets Use-After-Free Vulnerability

Details of the Vulnerabilities

  • CVE-2025-21479 (CVSS score: 8.6)
    • Description: This flaw involves an incorrect authorization issue in the Graphics component, leading to memory corruption due to unauthorized command execution in the GPU micronode.
    • Impact: Potential for unauthorized access and data corruption.
  • CVE-2025-21480 (CVSS score: 8.6)
    • Description: Similar to CVE-2025-21479, this vulnerability affects Graphics Windows, causing memory corruption due to unauthorized command execution.
    • Impact: Risks include unauthorized access and system instability.
  • CVE-2025-27038 (CVSS score: 7.5)
    • Description: A use-after-free issue in the Graphics component, resulting in memory corruption while rendering graphics using Adreno GPU drivers in Chrome.
    • Impact: Can lead to system crashes and potential exploitation by malicious actors.

Mitigation Steps

Qualcomm has addressed these zero-day vulnerabilities and recommends that OEMs deploy the necessary patches as soon as possible. According to the Binding Operational Directive (BOD) 22-01, federal agencies must address these vulnerabilities by June 24, 2025, to protect their networks. Private organizations are also advised to review the Catalog and implement the required security measures.

Conclusion

The addition of these Qualcomm chipset vulnerabilities to the KEV catalog highlights the ongoing threat of cyber exploitation. Organizations must remain vigilant and proactive in addressing such vulnerabilities to safeguard their systems and data. For more information, follow SecurityAffairs and stay updated on the latest cybersecurity news.

References

Cybersecurity & Data Protection
cybersecurity vulnerability threat-intelligence
This post is licensed under CC BY 4.0 by the author.