高通Adreno GPU零日漏洞在Android攻击中被利用
高通公司紧急修复了其Adreno GPU驱动程序中的三个关键零日漏洞,这些漏洞正在全球范围内针对Android设备的定向攻击中被积极利用。这些漏洞——CVE-2025-21479、CVE-2025-21480和CVE-2025-27038——由谷歌的威胁分析组(TAG)披露,并被赋予了高CVSS评分,表明其严重性。
漏洞详情:
• CVE-2025-21479和CVE-2025-21480:这些是图形组件中的不当授权漏洞,允许在特定序列中在GPU微节点中执行未经授权的命令。这可能导致内存损坏和潜在的权限提升。
• CVE-2025-27038:图形组件中的一个使用后释放漏洞,可能在使用Adreno GPU驱动程序在Chrome中渲染图形时导致内存损坏。
受影响的芯片组包括广泛的高通Snapdragon处理器,影响到数十亿台来自三星、小米、一加等多个制造商的Android设备。
高通已向设备制造商发布了这些漏洞的补丁,敦促立即部署以降低潜在风险。强烈建议用户尽快更新设备,以确保防范这些漏洞的攻击。
此次事件突显了移动硬件组件面临的持续安全挑战,以及及时软件更新对保护用户数据和隐私的重要性。
查看原文
has urgently addressed three critical zero-day vulnerabilities in its Adreno GPU drivers, which are actively being exploited in targeted attacks against Android devices worldwide. These vulnerabilities—CVE-2025-21479, CVE-2025-21480, and CVE-2025-27038—were disclosed by Google’s Threat Analysis Group (TAG) and have been assigned high CVSS scores, indicating their severity.<p>Vulnerability Details:
• CVE-2025-21479 & CVE-2025-21480: These are incorrect authorization vulnerabilities in the Graphics component, allowing unauthorized command execution in the GPU micronode during specific sequences. This can lead to memory corruption and potential privilege escalation.
• CVE-2025-27038: A use-after-free vulnerability in the Graphics component that can cause memory corruption while rendering graphics using Adreno GPU drivers in Chrome.<p>The affected chipsets include a wide range of Qualcomm Snapdragon processors, impacting billions of Android devices across various manufacturers such as Samsung, Xiaomi, OnePlus, and others.<p>Qualcomm has released patches for these vulnerabilities to device manufacturers, urging immediate deployment to mitigate potential risks. Users are strongly advised to update their devices as soon as possible to ensure protection against these exploits.<p>This incident highlights the ongoing security challenges in mobile hardware components and the importance of timely software updates to protect user data and privacy.