Android’s August 2025 update patches actively exploited Qualcomm flaws

Overview

Google released the August 2025 Android security update on 5 August 2025, addressing six vulnerabilities across the platform【923746973989650†L121-L160】. Two of these flaws—CVE‑2025‑21479 and CVE‑2025‑27038—affect Qualcomm’s Adreno GPU drivers and have been actively exploited in targeted attacks【923746973989650†L125-L138】. The update also fixes a critical remote code‑execution bug in Android’s System component that attackers could chain with other vulnerabilities to compromise a device without user interaction【923746973989650†L149-L152】.

Vulnerabilities fixed

• CVE‑2025‑21479 (Graphics framework incorrect authorization): This weakness stems from improper authorization in the GPU micronode, allowing memory corruption and unauthorized command execution when a specific sequence of commands is processed【923746973989650†L129-L133】.
• CVE‑2025‑27038 (use‑after‑free in Adreno drivers): A memory management flaw in Qualcomm’s Adreno drivers causes memory corruption when rendering graphics in Chrome【923746973989650†L129-L133】.
• Additional flaws include other Qualcomm GPU issues (CVE‑2025‑21480), plus bugs in closed‑source third‑party and kernel components【923746973989650†L154-L158】.

The vulnerabilities were reported to Google’s Android Security Team in January 2025 and added to the U.S. CISA Known Exploited Vulnerabilities (KEV) catalog in June【923746973989650†L135-L147】. Qualcomm released patches in June and strongly urged device manufacturers to deploy them as soon as possible【923746973989650†L140-L143】.

Patch levels and device availability

The August update is delivered in two patch levels: 2025‑08‑01 and 2025‑08‑05【923746973989650†L154-L156】. The first batch addresses the Qualcomm vulnerabilities, while the second bundles those fixes with updates for closed‑source and kernel subcomponents. Pixel devices received the update immediately, but other Android vendors often take longer to integrate and test patches【923746973989650†L154-L160】.

Recommended actions

1. Update your device: Users should install the August 2025 security update as soon as it becomes available for their device. Check your settings under System > Security > Updates.
2. Be vigilant with downloads: Only install apps from trusted publishers and scrutinize requested permissions. The exploited vulnerabilities highlight how attackers may chain bugs with malicious apps.
3. Enable Play Protect: Ensure Google Play Protect is enabled so that malicious apps are automatically scanned and flagged.
4. Follow CISA guidance: Because the bugs are listed in the KEV catalog, enterprises—especially those under U.S. federal mandates—should prioritize patching【923746973989650†L145-L148】.

Conclusion

The August 2025 Android security bulletin underscores the importance of timely updates. With two Qualcomm GPU flaws exploited in the wild and a critical System bug that could lead to remote code execution, delaying updates leaves devices exposed. By patching promptly and practicing good app hygiene, Android users can mitigate the risk of exploitation.