Chipmaker Giant Qualcomm released a patch on Monday that fixes a series of vulnerabilities in dozens of chips, including three zero-days the company said is being used as part of its hacking campaign.
Qualcomm cited Google's threat analysis group, or TAG. It investigates government-sponsored cyberattacks and says that three flaws could be “under limited, targeted exploitation.”
According to the company's bulletin, Google's Android security team reported three zero-days to Qualcomm in February: CVE-2025-21479, CVE-2025-21480 and CVE-2025-27038. Zero Day is a security vulnerability unknown to software and hardware manufacturers at the time of discovery, and is of great value for cybercriminals and government hackers.
Due to the open source and distributed nature of Android, it is up to the device manufacturer to apply the patches provided by Qualcomm. This means that despite the fact that patches are available, some devices may be vulnerable for several more weeks.
Contact Us Can you find out more about these Qualcomm Zero-Days? Or other zero-day exploits or zero-day makers? From unprocessed devices and networks, you can safely contact Lorenzo Franceschi-Bicchierai with a signal of +1 917 257 1382, via Telegram and Keybase @lorenzofb, or by email.
Qualcomm said the patch was ” [device makers] We strongly recommend that you deploy an update to affected devices as soon as possible in May. ”
Google spokesman Ed Fernandez told TechCrunch that its Pixel devices are not affected by these Qualcomm vulnerabilities.
When TechCrunch arrived, Google's tag spokesman did not immediately provide details about these vulnerabilities and the circumstances the tags found.
Qualcomm did not respond to requests for comment.
Chipsets found on mobile devices are frequently targeted by hackers and zero-day exploit developers. This is because the chips generally have wide access to the rest of the operating system. This means that hackers can jump from there to other parts of the device that holds sensitive data.
In the past few months, cases of exploitation against Qualcomm chipsets have been documented. Last year, Amnesty International identified Qualcomm Zero-day, which was used by Serbian authorities, probably using cellebrite, a phone cancellation tool maker.