Phone chipmaker Qualcomm fixes three zero-days exploited by hackers

Chipmaker giant Qualcomm released patches on Monday fixing a series of vulnerabilities in dozens of chips, including three zero-days that the company said may be in use as part of hacking campaigns. 

Qualcomm cited Google’s Threat Analysis Group, or TAG, which investigates government-backed cyberattacks, saying the three flaws “may be under limited, targeted exploitation.” 

According to the company’s bulletin, Google’s Android security team reported the three zero-days (CVE-2025-21479, CVE-2025-21480, and CVE-2025-27038) to Qualcomm in February. Zero-days are security vulnerabilities that are not known to the software or hardware maker at the time of their discovery, making them extremely valuable for cybercriminals and government hackers. 

Because of Android’s open source and distributed nature, it’s now up to device manufacturers to apply the patches provided by Qualcomm, which means some devices may still be vulnerable for several more weeks, despite the fact that there are patches available. 

Qualcomm said in the bulletin that the patches “have been made available to [device makers] in May together with a strong recommendation to deploy the update on affected devices as soon as possible.”

Google spokesperson Ed Fernandez told TechCrunch that the company’s Pixel devices are not affected by these Qualcomm vulnerabilities.

When reached by TechCrunch, a spokesperson for Google’s TAG did not immediately provide more information about these vulnerabilities, and the circumstances in which TAG found them. 

Qualcomm did not respond to a request for comment.

Chipsets found in mobile devices are frequent targets for hackers and zero-day exploit developers because chips generally have wide access to the rest of the operating system, which means hackers can jump from there to other parts of the device that may hold sensitive data. 

In the last few months, there have been documented cases of exploitation against Qualcomm chipsets. Last year, Amnesty International identified a Qualcomm zero-day that was being used by Serbian authorities, likely by using phone unlocking tool maker Cellebrite.