CVE-2025-21479

Name of the Vulnerable Software and Affected Versions Qualcomm chipsets (affected versions not specified) Meta Quest 3 and 3S versions August 7, 2025 and earlier Samsung S23 (affected versions not specified)

Description A flaw exists in Qualcomm Adreno GPU firmware that allows unauthorized command execution in the GPU micronode. This can lead to memory corruption when a specific sequence of commands is processed. The issue has been actively exploited, with reports indicating its use in achieving root access on devices like the Meta Quest 3/3S and Samsung S23. Exploitation involves manipulating page tables to gain kernel read/write access and ultimately compromise the device. The vulnerability affects multiple product types, including IoT devices, phones, laptops, and potentially automotive systems. The GPU microcode is shared across various products, making a wide range of devices susceptible. The issue was addressed in Google’s August 2025 Android security update.

Recommendations For Meta Quest 3/3S devices, disable updates and the Oculus updater (

com.oculus.updater

) to prevent the installation of the patched firmware. For Samsung S23 devices, there is no information about a newer version that contains a fix for this vulnerability. For other affected Qualcomm chipsets, there is no information about a newer version that contains a fix for this vulnerability.