CVE-2025-21480

What is the Qualcomm Adreno GPU Micronode?

Qualcomm's Adreno GPU (integrated into Snapdragon SoCs powering most Android phones) uses a microarchitecture with dedicated processing units called "micronodes" that handle specific GPU tasks. Commands sent to micronodes are mediated by access control checks to prevent untrusted code from executing privileged GPU operations. An incorrect authorization check (CWE-863) in this mediation layer allows untrusted code to execute commands that should be restricted to higher-privilege contexts.

Overview

CVE-2025-21480 is an incorrect authorization vulnerability (CWE-863) in multiple Qualcomm chipsets affecting the Adreno GPU micronode command processing. By executing a specific sequence of GPU commands, an attacker can bypass authorization checks and trigger unauthorized command execution in GPU micronodes — leading to memory corruption. The vulnerability is closely related to companion CVE-2025-21479 (patched in the same June 2025 Qualcomm bulletin) and CVE-2025-27038 (Adreno GPU UAF, also from the same bulletin). All three affect the GPU processing pipeline reachable from web content in Chrome.

Affected Versions

Technical Details

The incorrect authorization (CWE-863) occurs in the GPU command processing pipeline where micronodes execute instructions. The authorization logic fails to correctly verify that a specific sequence of GPU commands is permitted for the calling privilege level. When an attacker executes the specific sequence, the authorization check incorrectly permits commands that should be blocked, leading to unauthorized GPU micronode execution and subsequent memory corruption.

The Changed scope (S:C) and local-without-privileges (AV:L/PR:N) characteristics indicate this is reachable from an untrusted application or sandboxed process (such as the Chrome renderer) — making it potentially exploitable via malicious web content similarly to companion CVE-2025-27038.

Companion vulnerabilities in the same June 2025 Qualcomm bulletin:

• CVE-2025-21479: Second incorrect authorization vulnerability in the same GPU pipeline (different authorization check)
• CVE-2025-27038: Adreno GPU use-after-free (Chrome renderer path)

Discovery

Qualcomm confirmed "there are indications that CVE-2025-21480 may be under limited, targeted exploitation" in the June 2025 bulletin. CISA added to the KEV catalog on the same day as the bulletin.

Exploitation Context

Limited targeted exploitation confirmed. The GPU-based attack surface reachable from web content makes this suitable for mobile spyware delivery chains, consistent with the exploitation patterns seen in Android GPU vulnerabilities throughout 2025.

Remediation

1. Apply Android security patches from your device OEM for June 2025 (patch level 2025-06-01 or later). Google Pixel devices receive patches promptly; other OEMs may have delays.
2. Apply patches for CVE-2025-21479 and CVE-2025-27038 simultaneously — all three are in the same June 2025 Qualcomm bulletin and address the same GPU attack surface.
3. Keep Chrome updated — Google may ship Chrome-level mitigations reducing exploit accessibility before firmware patches arrive.
4. Prioritize high-risk users (executives, government officials, journalists) for prompt patching given the targeted exploitation pattern.