Android’s Impossible Deadline—3 Weeks To Update Or Stop Using Phones
Android flaw cannot yet be fixed.
A tricky dilemma for Android users this week, as both Google and Samsung release this month’s Pixel and Galaxy security updates with critical missing fixes. And with a June 24 deadline to secure phones or power them down, something needs to give. There are 30-plus important fixes that have been released, but not the ones that matter most.
The fixes are long-awaited patches from Qualcomm, which warns Android users that “there are indications from Google Threat Analysis Group that CVE-2025-21479, CVE-2025-21480, CVE-2025-27038 may be under limited, targeted exploitation.” The flaw affects Adreno Graphics Processing Unit (GPU) drivers.
It is assumed but not known that exploitation would have been used in commercial spyware software, similar to the well publicized attacks outed by Amnesty International. Qualcomm says patches “have been made available to OEMs in May together with a strong recommendation to deploy the update on affected devices as soon as possible.”
The deadline which comes courtesy of America’s cyber defense agency is mandatory for federal staff and recommended for everyone else. CISA warns “multiple Qualcomm chipsets contain” these vulnerabilities, which it describes as follows:
- CVE-2025-27038: “A use-after-free vulnerability. This vulnerability allows for memory corruption while rendering graphics using Adreno GPU drivers in Chrome.”
- CVE-2025-21480: “An incorrect authorization vulnerability. This vulnerability allows for memory corruption due to unauthorized command execution in GPU micronode while executing specific sequence of commands.”
- CVE-2025-21479: “An incorrect authorization vulnerability. This vulnerability allows for memory corruption due to unauthorized command execution in GPU micronode while executing specific sequence of commands.”
CISA has slapped a 21-day mandatory deadline on federal agency employees to update phones by June 24 “or discontinue use of the product if mitigations are unavailable.” Right now, the window for June’s security updates has been missed, which means absent an out-of-band update that deadline will also be missed.
In the past, we have seen such updates make their way to Pixel faster than Galaxy, with Samsung phones lagging. The company warns patches from chipset vendors “may not be included in the security update package of the month. They will be included in upcoming security update packages as soon as the patches are ready to deliver.”
This plays into the challenge for Samsung in working around an OS and ecosystem it dominates but doesn’t control. In that regard, the more pressing issue for its users will be the speed with which Android 16 via One UI 8 reaches their phones. With a Pixel timeline expected any day now, the gap between the two phones will be critical.
While CISA’s deadline is only mandatory for federal staff, its remit is to operate “for the benefit of the cybersecurity community and network defenders — and to help every organization better manage vulnerabilities and keep pace with threat activity.” As such all users are urged to install these Qualcomm updates as soon as they’re available.