Cyber Resilience

CVE-2025-27038

HighCISA KEVActive ExploitationEUVD Exploited

Published: 03 June 2025

Published
03 June 2025
Modified
27 October 2025
KEV Added
03 June 2025
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0137 80.6th percentile
Risk Priority 36 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-27038 is a high-severity Use After Free (CWE-416) vulnerability in Qualcomm Ar8031 Firmware. Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 19.4% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-27038 is a memory corruption vulnerability, classified under CWE-416, that occurs while rendering graphics using Adreno GPU drivers in Chrome. The flaw affects Qualcomm's Adreno GPU driver components integrated with the Chrome browser and carries a CVSS 3.1 score of 7.5.

An unauthenticated remote attacker can exploit the issue by serving specially crafted web content that triggers the GPU rendering path, requiring user interaction such as visiting a malicious page. Successful exploitation can result in high impacts to confidentiality, integrity, and availability on affected systems.

The June 2025 Qualcomm security bulletin addresses the flaw with driver updates, while CISA lists the CVE in its Known Exploited Vulnerabilities catalog, indicating that mitigations should be applied promptly through vendor patches and browser updates.

The associated EPSS score remains flat at 0.0137 with no material increase observed after disclosure.

EU & UK References

Vulnerability details

Memory corruption while rendering graphics using Adreno GPU drivers in Chrome.

CWE(s)
KEV Date Added
03 June 2025

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

qualcomm
ar8031 firmware
all versions
qualcomm
csra6620 firmware
all versions
qualcomm
csra6640 firmware
all versions
qualcomm
fastconnect 7800 firmware
all versions
qualcomm
qca2066 firmware
all versions
qualcomm
qca6391 firmware
all versions
qualcomm
qcm6125 firmware
all versions
qualcomm
qcm8550 firmware
all versions
qualcomm
qcn9011 firmware
all versions
qualcomm
qcn9012 firmware
all versions
+34 more product configuration(s) — see NVD for full list

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely installation of the Qualcomm/Chrome patches that remediate the Adreno GPU memory-corruption flaw.

prevent

Provides memory-protection mechanisms that block use-after-free and other corruption primitives exploited by CVE-2025-27038 during graphics rendering.

preventdetect

Malicious-code protections can block or detect web content that triggers the GPU driver flaw before memory corruption occurs.

References