CVE-2025-21480
Published: 03 June 2025
Summary
CVE-2025-21480 is a high-severity Incorrect Authorization (CWE-863) vulnerability in Qualcomm Aqt1000 Firmware. Its CVSS base score is 8.6 (High).
Operationally, ranked in the top 16.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-16 (Memory Protection).
Deeper analysis
CVE-2025-21480 is a memory corruption vulnerability caused by unauthorized command execution in the GPU micronode when a specific sequence of commands is processed. The flaw, tracked under CWE-863, affects Qualcomm GPU components and carries a CVSS 3.1 score of 8.6 reflecting local attack vector, no privileges required, required user interaction, and changed scope with high impact on confidentiality, integrity, and availability.
An attacker with the ability to execute code or submit commands on an affected device can trigger the flaw to corrupt memory. Successful exploitation can allow the attacker to achieve elevated privileges or arbitrary code execution within the GPU context, potentially compromising the broader system due to the changed scope.
The Qualcomm June 2025 security bulletin provides patches addressing the issue, and the vulnerability appears in the CISA Known Exploited Vulnerabilities catalog, confirming observed in-the-wild exploitation. The associated EPSS score has remained flat at 0.02 with no material increase since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-16705
Vulnerability details
Memory corruption due to unauthorized command execution in GPU micronode while executing specific sequence of commands.
- CWE(s)
- KEV Date Added
- 03 June 2025
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly blocks the unauthorized command sequences that trigger GPU micronode memory corruption by enforcing authorization before any command is accepted.
Applies memory-protection mechanisms that would stop the corruption resulting from the malicious command sequence in the GPU micronode.
Validates command input to reject malformed or unauthorized sequences before they reach the GPU micronode execution path.