Phone Chipmaker Qualcomm Fixes Three Zero-Days Exploited by Hackers

Giant chipmaker Qualcomm has released patches for a series of vulnerabilities in dozens of chips, including three zero-days that the company claims may be being used as part of hacking campaigns. The patches were made available on Monday, following reports from Google's Threat Analysis Group (TAG) in February.

The three zero-days, identified as CVE-2025-21479, CVE-2025-21480, and CVE-2025-27038, are believed to be extremely valuable for cybercriminals and government hackers. These vulnerabilities were not known to Qualcomm at the time of their discovery, making them "zero-day" exploits.

Because Android's open source and distributed nature means that it's up to device manufacturers to apply the patches provided by Qualcomm, some devices may still be vulnerable for several more weeks, despite the fact that there are patches available. This poses a significant risk to users who rely on these devices for sensitive information.

Google Confirms Pixel Devices Are Not Affected

Google spokesperson Ed Fernandez told TechCrunch that the company's Pixel devices are not affected by these Qualcomm vulnerabilities. However, it's worth noting that other Android devices may still be vulnerable, and users should keep an eye on their device manufacturer's website for updates.

The Circumstances Surrounding These Vulnerabilities

Google spokesperson Kimberly Samra, representing Google's TAG, did not immediately provide more information about these vulnerabilities or the circumstances in which TAG found them. The team at TAG investigates government-backed cyberattacks, and it's likely that they were alerted to these vulnerabilities as part of their ongoing efforts.

A Call to Action for Users

Qualcomm spokesperson Dave Schefcik has urged end users to apply security updates as soon as possible. "We encourage end users to apply security updates as they become available from device makers," he said.

The Importance of Chipset Security

Chips in mobile devices are frequently targeted by hackers and zero-day exploit developers. This is because chips have wide access to the rest of the operating system, making it easier for hackers to jump from there to other parts of the device that may hold sensitive data.

A History of Qualcomm Zero-Days

There have been documented cases of exploitation against Qualcomm chipsets in recent months. Last year, Amnesty International identified a Qualcomm zero-day that was being used by Serbian authorities, likely as part of phone unlocking tool maker Cellebrite's operations.

A Final Note on Security

"Think you know AI? Prove it." With the countdown to TC Sessions: AI underway, it's your chance to flex your AI knowledge—and score 2 tickets for the price of 1. Answer a few quick AI trivia questions to start your challenge. Special trivia deal ends June 4.