CVE-2025-27038
Published: 03 June 2025
Summary
CVE-2025-27038 is a high-severity Use After Free (CWE-416) vulnerability in Qualcomm Ar8031 Firmware. Its CVSS base score is 7.5 (High).
Operationally, ranked in the top 19.4% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-27038 is a memory corruption vulnerability, classified under CWE-416, that occurs while rendering graphics using Adreno GPU drivers in Chrome. The flaw affects Qualcomm's Adreno GPU driver components integrated with the Chrome browser and carries a CVSS 3.1 score of 7.5.
An unauthenticated remote attacker can exploit the issue by serving specially crafted web content that triggers the GPU rendering path, requiring user interaction such as visiting a malicious page. Successful exploitation can result in high impacts to confidentiality, integrity, and availability on affected systems.
The June 2025 Qualcomm security bulletin addresses the flaw with driver updates, while CISA lists the CVE in its Known Exploited Vulnerabilities catalog, indicating that mitigations should be applied promptly through vendor patches and browser updates.
The associated EPSS score remains flat at 0.0137 with no material increase observed after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-16700
Vulnerability details
Memory corruption while rendering graphics using Adreno GPU drivers in Chrome.
- CWE(s)
- KEV Date Added
- 03 June 2025
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely installation of the Qualcomm/Chrome patches that remediate the Adreno GPU memory-corruption flaw.
Provides memory-protection mechanisms that block use-after-free and other corruption primitives exploited by CVE-2025-27038 during graphics rendering.
Malicious-code protections can block or detect web content that triggers the GPU driver flaw before memory corruption occurs.