Google has released its latest Android Security Bulletin for August 2025, addressing multiple vulnerabilities across the Android ecosystem. Among the most notable vulnerabilities, CVE-2025-21479 and CVE-2025-27038 were reportedly exploited in the wild before this month’s security release. These are joined by CVE-2025-21480, another serious Qualcomm flaw disclosed in June 2025.
The two primary vulnerabilities, CVE-2025-21479 and CVE-2025-27038, have received CVSS scores of 8.6 and 7.5, respectively, indicating high to critical severity. A third, CVE-2025-21480, also scored 8.6 and is being closely monitored. All three were first publicly disclosed by Qualcomm in June, and while precise methods of exploitation have not been publicly revealed, there is credible intelligence suggesting they have been actively used in targeted attacks.
According to Qualcomm’s disclosure, CVE-2025-21479 involves an incorrect authorization issue in the Graphics component, which can allow unauthorized command execution within GPU microcode, leading to potential memory corruption. CVE-2025-27038 is categorized as a use-after-free vulnerability, also within the Graphics component, and could result in memory corruption when rendering graphics through Adreno GPU drivers, particularly in Chrome environments.
The Google Threat Analysis Group has indicated that these vulnerabilities, CVE-2025-21479, CVE-2025-21480, and CVE-2025-27038, are subject to “limited, targeted exploitation.” However, no further technical details about the attack vectors or threat actors involved have been disclosed.
Android Security Bulletin: Security Patch Level and Coverage
Devices patched to the 2025-08-05 level will be protected against all vulnerabilities listed in this month’s Android Security Bulletin, including the Qualcomm-related ones.
Users can verify their device’s patch level through the Settings menu. Google emphasizes that Android partners were alerted to these vulnerabilities at least a month in advance, in line with their coordinated disclosure process.
The bulletin also states that all relevant patches will be pushed to the Android Open-Source Project (AOSP) within 48 hours of the bulletin’s release. As of August 4, 2025, this process is already underway.
Critical System Vulnerability Also Addressed
Aside from the Qualcomm vulnerabilities, the bulletin highlights another critical flaw in the Android System component: CVE-2025-48530, a remote code execution (RCE) vulnerability. This issue could allow attackers to execute arbitrary code remotely without requiring user interaction or elevated privileges. Devices running Android 16 are particularly at risk, though mitigations are in place for earlier versions.
Google has assessed this vulnerability as critical due to the potential damage an exploit could cause, particularly if existing security measures are bypassed.
Additional Vulnerabilities in Framework and System Components
The August 2025 bulletin also lists multiple other vulnerabilities, grouped according to their affected components. In the Framework component, CVE-2025-22441 and CVE-2025-48533 were marked as high-severity elevation of privilege (EoP) vulnerabilities. These flaws affect devices running Android versions 13 through 16.
The System component was also home to vulnerabilities like CVE-2025-48530, which, as mentioned, could enable remote code execution. Each of these issues has been patched accordingly in the respective Android version lines.
Conclusion
To mitigate the risk associated with these vulnerabilities, including CVE-2025-21479 and CVE-2025-21480, Google continues to rely on a layered security approach. Central to this is Google Play Protect, which comes pre-enabled on devices with Google Mobile Services and scans for potentially harmful apps, particularly vital for users who install apps outside the Play Store.
Additionally, newer Android versions incorporate better defenses such as improved memory protections, sandboxing, and runtime checks to make exploitation more challenging. Notably, the August 2025 Android Security Bulletin confirms there are no new fixes delivered through Project Mainline this month, with all updates consolidated in the August 1 and August 5 security patch levels.
Devices must be updated to one of these patch levels to be fully protected, with 2025-08-05 covering all known vulnerabilities to date. The bulletin also clarifies common vulnerability classifications, including Remote Code Execution (RCE), Elevation of Privilege (EoP), and Denial of Service (DoS), providing transparency for both users and developers.
