Google on Monday announced a fresh set of security updates for Android that address six vulnerabilities in the operating system and third-party components, including an exploited Qualcomm flaw.
The exploited bug, disclosed in early June and tracked as CVE‑2025‑27038 (CVSS score of 7.5), is described as a use-after-free issue when rendering graphics using Adreno GPU drivers in Chrome.
“There are indications from Google Threat Analysis Group that CVE-2025-21479, CVE-2025-21480, CVE-2025-27038 may be under limited, targeted exploitation,” Qualcomm said on June 2. The US cybersecurity agency CISA added all three to the KEV catalog the next day.
In May, Qualcomm shipped patches for all three security defects to OEMs and phone makers, but Google’s June Android patches did not include fixes for them, and no security patch was rolled out in July, for the first time in a decade.
While no details on the observed exploitation of CVE‑2025‑27038 have been shared publicly, Qualcomm’s phrasing and the previous exploitation of bugs in its chipsets suggest that it might have been targeted by a commercial spyware vendor.
The most severe of the five remaining flaws in the August 2025 Android security bulletin is a critical-severity remote code execution (RCE) issue in the System component, tracked as CVE‑2025‑48530, which can be exploited without user interaction.
“The most severe of these issues is a critical security vulnerability in the System component that could lead to remote code execution in combination with other bugs, with no additional execution privileges needed,” Google notes.
The first part of Android’s August 2025 update arrives on devices as the 2025-08-01 security patch level and resolves the System security defect, along with two high-severity elevation of privilege (EoP) vulnerabilities in the Framework component.
The second part arrives as the 2025-08-05 security patch level and addresses one flaw in Arm components and two issues in Qualcomm components, including the exploited bug.
“We urge organizations to ensure all managed Android devices are promptly updated to the 2025‑08‑05 security patch level (or newer) so they aren’t exposed. This month’s bulletin reinforces the principle that even smaller updates can close pathways used by skilled threat actors – staying ahead requires proactivity, not complacency,” Jamf senior security strategy manager Adam Boynton said.
No security patches have been included in the August 2025 security bulletins for Android Automotive OS and Wear OS, and Google has yet to publish a Pixel security bulletin for this month.
Related: Apple Patches Safari Vulnerability Flagged as Exploited Against Chrome
Related: SonicWall Hunts for Zero-Day Amid Surge in Firewall Exploitation
Related: Nvidia Triton Vulnerabilities Pose Big Risk to AI Models
Related: Samsung Announces Security Improvements for Galaxy Smartphones
