高通Adreno GPU零日漏洞被用于安卓攻击
1 分•作者: Great_Cat•5 个月前
已紧急修复了 Adreno GPU 驱动程序中的三个关键零日漏洞,这些漏洞正被积极利用,在全球范围内针对 Android 设备发动定向攻击。这些漏洞——CVE-2025-21479、CVE-2025-21480 和 CVE-2025-27038——由谷歌威胁分析小组 (TAG) 披露,并被分配了高 CVSS 评分,表明其严重性。
漏洞详情:
• CVE-2025-21479 和 CVE-2025-21480:这是图形组件中的授权错误漏洞,允许在特定序列期间在 GPU 微节点中执行未经授权的命令。这可能导致内存损坏和潜在的权限提升。
• CVE-2025-27038:图形组件中的释放后使用漏洞,在使用 Adreno GPU 驱动程序在 Chrome 中渲染图形时可能导致内存损坏。
受影响的芯片组包括各种高通骁龙处理器,影响了包括三星、小米、一加等制造商在内的数十亿 Android 设备。
高通已向设备制造商发布了针对这些漏洞的补丁,敦促立即部署以减轻潜在风险。强烈建议用户尽快更新其设备,以确保免受这些漏洞的侵害。
此事件突显了移动硬件组件中持续存在的安全挑战,以及及时进行软件更新以保护用户数据和隐私的重要性。
查看原文
has urgently addressed three critical zero-day vulnerabilities in its Adreno GPU drivers, which are actively being exploited in targeted attacks against Android devices worldwide. These vulnerabilities—CVE-2025-21479, CVE-2025-21480, and CVE-2025-27038—were disclosed by Google’s Threat Analysis Group (TAG) and have been assigned high CVSS scores, indicating their severity.<p>Vulnerability Details:
• CVE-2025-21479 & CVE-2025-21480: These are incorrect authorization vulnerabilities in the Graphics component, allowing unauthorized command execution in the GPU micronode during specific sequences. This can lead to memory corruption and potential privilege escalation.
• CVE-2025-27038: A use-after-free vulnerability in the Graphics component that can cause memory corruption while rendering graphics using Adreno GPU drivers in Chrome.<p>The affected chipsets include a wide range of Qualcomm Snapdragon processors, impacting billions of Android devices across various manufacturers such as Samsung, Xiaomi, OnePlus, and others.<p>Qualcomm has released patches for these vulnerabilities to device manufacturers, urging immediate deployment to mitigate potential risks. Users are strongly advised to update their devices as soon as possible to ensure protection against these exploits.<p>This incident highlights the ongoing security challenges in mobile hardware components and the importance of timely software updates to protect user data and privacy.