CVE-2025-27038

What is the Qualcomm Adreno GPU?

Qualcomm's Adreno GPU is the graphics processor integrated into Qualcomm Snapdragon system-on-chips (SoCs), which power the majority of Android smartphones and tablets globally. The Adreno GPU driver handles 3D graphics rendering for all apps, including web browsers like Chrome that use GPU acceleration for web content rendering (WebGL, CSS animations, video decoding). Because the GPU driver processes untrusted web content indirectly via the Chrome/WebView rendering pipeline, vulnerabilities in the Adreno driver can be triggered remotely via malicious web pages visited in Chrome.

Overview

CVE-2025-27038 is a use-after-free vulnerability (CWE-416) in the Qualcomm Adreno GPU driver that is triggered while rendering graphics through the driver in Chrome. An attacker can exploit this vulnerability by serving malicious web content that causes Chrome to invoke Adreno GPU operations in a way that triggers the UAF, potentially enabling memory corruption and code execution within the GPU driver's context. Qualcomm disclosed active exploitation in the June 2025 Security Bulletin with CISA adding the vulnerability to the KEV catalog the same day.

Affected Versions

Specific affected chipsets are listed in the Qualcomm June 2025 Security Bulletin. Qualcomm Snapdragon chips are used in devices from Samsung (Galaxy series), OnePlus, Motorola, ASUS, and many other OEMs.

Technical Details

The use-after-free (CWE-416) occurs in the Qualcomm Adreno GPU driver while processing graphics rendering commands issued by Chrome's renderer process. The GPU driver allocates kernel objects to manage rendering state; a race condition or improper reference counting allows a rendering object to be freed while a pointer to it is retained in another data structure. When Chrome subsequently issues a rendering command that dereferences the stale pointer, the driver accesses freed (or reallocated) memory.

Exploitation delivery:

• Attacker serves malicious web content containing WebGL, CSS effects, or other GPU-accelerated operations
• Chrome's renderer process translates the web content into GPU commands via the Adreno driver
• The malicious commands trigger the UAF in kernel mode
• Memory corruption enables potential privilege escalation from Chrome's renderer process context

The Network attack vector (AV:N) and User Interaction Required (UI:R) reflect that the attacker delivers the exploit via a web page that the victim must visit. The High attack complexity (AC:H) indicates the exploit requires specific conditions or timing to trigger reliably.

Discovery

Qualcomm disclosed limited targeted exploitation in the June 2025 bulletin — consistent with spyware or state-sponsored actor usage against specific high-value targets via watering hole or phishing links.

Exploitation Context

Qualcomm's June 2025 Security Bulletin noted "there are indications that CVE-2025-27038 may be under limited, targeted exploitation." CISA added the vulnerability to the KEV catalog on the same day as the bulletin, with a 21-day remediation deadline. The delivery mechanism — malicious web content rendered in Chrome — makes this suitable for one-click browser-based exploitation against Android targets, a common vector for mercenary spyware and state-sponsored actor toolchains.

Remediation

1. Apply Android security patches from your device OEM for June 2025 — the Qualcomm fix is distributed via Android OEM update channels (Samsung, OnePlus, Motorola, etc.), not directly from Qualcomm.
2. Prioritize Google Pixel devices — Pixel receives Qualcomm patches promptly; other OEMs may ship with a delay of 1–3 months.
3. Keep Chrome updated — Google may ship Chrome-side mitigations or workarounds via the Chrome app update channel that reduce the exploitability even before the firmware patch is available.
4. Enable Lockdown Mode (iOS equivalent) or disable JavaScript in browsers for high-risk users while waiting for OEM patches.
5. Apply companion Android patches from the same June 2025 bulletin that address other Qualcomm components.