What is the Qualcomm Adreno GPU Micronode?
See CVE-2025-21480 for the full product context on the Qualcomm Adreno GPU micronode authorization architecture.
Overview
CVE-2025-21479 is the second incorrect authorization vulnerability (CWE-863) in multiple Qualcomm chipsets from the June 2025 Security Bulletin, patched alongside companion CVE-2025-21480 and CVE-2025-27038. Like CVE-2025-21480, it involves unauthorized command execution in Adreno GPU micronodes through a specific sequence of GPU commands — but targets a different authorization check in the GPU pipeline. Together, the two incorrect authorization vulnerabilities (21479 and 21480) provide alternate exploitation paths to achieve GPU memory corruption on affected Snapdragon-based devices.
Affected Versions
| Platform | Status |
|---|---|
| Qualcomm Snapdragon chipsets with affected Adreno GPU | See June 2025 Qualcomm bulletin for specific chipset list |
| Android devices with affected Snapdragon SoCs | Apply June 2025 Android security patches from OEM |
Technical Details
The incorrect authorization (CWE-863) occurs in a second location within the Adreno GPU micronode command dispatch path. A different specific sequence of GPU commands bypasses this authorization check, allowing untrusted code to execute commands in a privileged GPU micronode context, leading to memory corruption.
The existence of two distinct authorization bypass paths (CVE-2025-21479 and CVE-2025-21480) for the same underlying attack surface indicates a systemic authorization design issue in the GPU command processing pipeline, not an isolated coding error. Patching only one CVE while leaving the other unpatched provides incomplete protection.
Key differences from CVE-2025-21480:
- Targets a different GPU command sequence and different authorization check
- Provides an alternative exploitation path for attackers who encounter mitigations targeting CVE-2025-21480 specifically
Exploitation Context
Qualcomm confirmed "indications of limited, targeted exploitation" for CVE-2025-21479 in the June 2025 bulletin. Both CVE-2025-21479 and CVE-2025-21480 were added to the CISA KEV catalog simultaneously, indicating both were observed exploited.
Remediation
- Apply June 2025 Android security patches (patch level 2025-06-01 or later) from your OEM. This patches CVE-2025-21479, CVE-2025-21480, and CVE-2025-27038 together.
- Both CVE-2025-21479 and CVE-2025-21480 must be patched to close all authorization bypass paths in the GPU pipeline.
- Update Chrome promptly for any Chrome-level mitigations that reduce GPU exploit reachability.
- See CVE-2025-21480 for additional remediation context.
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2025-21479 |
| Vendor / Product | Qualcomm — Multiple Chipsets |
| NVD Published | 2025-06-03 |
| NVD Last Modified | 2025-10-28 |
| CVSS 3.1 Score | 8.6 |
| CVSS 3.1 Vector | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H |
| Severity | HIGH |
| CWE | CWE-863 find similar ↗ |
| CISA KEV Added | 2025-06-03 |
| CISA KEV Deadline | 2025-06-24 |
| Known Ransomware Use | No |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2025-06-03 | Qualcomm June 2025 Security Bulletin published with fix; CISA adds to KEV |
| 2025-06-24 | CISA BOD 22-01 remediation deadline |
References
| Resource | Type |
|---|---|
| Qualcomm Security Bulletin — June 2025 | Vendor Advisory |
| NVD — CVE-2025-21479 | Vulnerability Database |
| CISA KEV Catalog Entry | US Government |