CVE-2025-21479

Name of the Vulnerable Software and Affected Versions Qualcomm chipsets (affected versions not specified) Meta Quest 3/3S versions August 7, 2025 update and earlier Samsung S23 (affected versions not specified)

Description A flaw exists in the Qualcomm Adreno GPU firmware that allows unauthorized command execution in the GPU micronode. This can lead to memory corruption when a specific sequence of commands is processed. The issue is actively exploited and has been used to gain root access on devices like the Meta Quest 3/3S and Samsung S23. Exploitation involves leveraging the flaw through a combination of page table attacks to achieve kernel-level control. The GPU microcode is shared across multiple products, including IoT devices, phones, laptops, and potentially future automotive systems. The vulnerability has been addressed in the August 2025 Android security update and subsequent Meta Quest firmware updates. It is reported that the vulnerability allows userspace to run privileged GPU commands, enabling read/write access to the kernel via fake pagetables and device compromise.

Recommendations For Meta Quest 3/3S devices, disable updates and the Oculus updater (

com.oculus.updater

) to prevent patching. For Samsung S23 devices, apply the latest firmware updates to address the vulnerability. For all affected Qualcomm chipsets, apply the August 2025 Android security update or later to mitigate the risk.