Chipmaker Qualcomm has released new security updates to fix several vulnerabilities in its mobile chips—three of which hackers were actively using. If you’re using a phone with a Qualcomm chip, it’s important to know what’s happening and how it might affect your device.
The updates, which were made public on Monday, include patches for three zero-day vulnerabilities. These are serious flaws that attackers discovered before Qualcomm knew about them. According to Google’s Threat Analysis Group (TAG), the flaws were already being used in targeted attacks, though these seem limited in scope for now.
What are the flaws, and who discovered them
Back in February, Google’s Android security team first spotted the three critical flaws—CVE-2025-21479, CVE-2025-21480, and CVE-2025-27038—and reported them to Qualcomm. Zero-day vulnerabilities are especially dangerous because software or hardware makers are unaware of them when they’re first discovered, making it easy for hackers to sneak in.
Qualcomm confirmed that these flaws could allow attackers to access sensitive mobile device parts by exploiting the chip at a deep system level. Because these chips are closely tied to how your phone’s operating system runs, they can give hackers access to data and apps on your device if left unpatched.
TAG believes these flaws may be part of hacking campaigns carried out by government-backed groups, but no further details have been shared yet. Kimberly Samra, a spokesperson for TAG, has not commented further on how the flaws were found or who may be behind the attacks.
Updates are out, but your device might still be at risk
Although Qualcomm has now made fixes available, you might not immediately see the updates on your phone. This is because Qualcomm doesn’t update phones directly—they pass the patches on to phone manufacturers like Samsung, OnePlus, and others.
Qualcomm said in its bulletin that these fixes were sent to manufacturers in May, and they strongly recommend pushing the updates to users as soon as possible. However, depending on your phone’s brand and carrier, the actual update could still take a few weeks to reach your device.
A Google spokesperson, Ed Fernandez, confirmed that these Qualcomm-specific issues do not affect Pixel devices. That’s likely because Google controls its Pixel phones’ hardware and software more tightly than other Android phone makers.
Why hackers target chips like Qualcomm’s
Smartphone chips have access to nearly every part of your device, including sensitive information like messages, emails, photos, and passwords. If hackers manage to control the chip, they can often control the entire phone.
Due to this deep access, Qualcomm chips have been targeted by hackers in the past. For instance, last year, Amnesty International reported a Qualcomm vulnerability that was allegedly being used by Serbian authorities, likely through tools made by Cellebrite, a company known for unlocking phones.
In light of the recent update, Qualcomm advises users to stay alert. “We encourage end users to apply security updates as they become available from device makers,” said company spokesperson Dave Schefcik.
To stay protected, check your phone settings regularly for software updates, especially over the next few weeks. The best way to keep your device secure is to apply these patches as soon as they are available.
