What is the CVSS score of CVE-2025-27038?

CVE-2025-27038 has a CVSS 3.1 base score of 7.5 (High). CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H. EPSS exploitation probability: 1.1%.

Which versions of Chrome are affected by CVE-2025-27038?

CVE-2025-27038 is an actively exploited memory corruption vulnerability affecting Chrome users with Adreno GPU drivers, posing immediate risk of system compromise through malicious graphics…

Is CVE-2025-27038 being actively exploited?

Yes, CVE-2025-27038 is listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, confirming active in-the-wild exploitation. Immediate patching is required.

How to fix or mitigate CVE-2025-27038?

Within 24 hours: inventory Chrome deployments with Adreno GPU drivers (primarily Qualcomm-based Android and some Windows devices); communicate elevated risk to affected users. Within 7 days: disable GPU acceleration in Chrome for high-risk user groups; enforce browser sandboxing and restrict access to untrusted websites. Within 30 days: prepare rapid deployment of patch upon vendor release; consider alternative browsers for critical workflows; implement enhanced endpoint monitoring for exploitation attempts.

Chrome CVE-2025-27038

EUVD-2025-16700 HIGH

Use After Free (CWE-416)

2025-06-03 product-security@qualcomm.com

Denial Of Service Chrome Google Memory Corruption Ar8031 Firmware Csra6620 Firmware Csra6640 Firmware Fastconnect 7800 Firmware Qca2066 Firmware Qca6391 Firmware Qcm6125 Firmware Qcm8550 Firmware Qcn9011 Firmware Qcn9012 Firmware Qcs6125 Firmware Qcs8550 Firmware Sm6475 Firmware Sm6650 Firmware Sm6650p Firmware Sm7435 Firmware Sm7635 Firmware Sm7635p Firmware Smart Audio 400 Platform Firmware Snapdragon 4 Gen 2 Mobile Platform Firmware Snapdragon 6 Gen 1 Mobile Platform Firmware Snapdragon 680 4g Mobile Platform Firmware Sw5100 Firmware Sw5100p Firmware Video Collaboration Vc1 Platform Firmware Wcd9335 Firmware Wcd9370 Firmware Wcd9375 Firmware Wcd9378 Firmware Wcd9385 Firmware Wcd9395 Firmware Wcn3950 Firmware Wcn3980 Firmware Wcn3988 Firmware Wcn6650 Firmware Wcn6740 Firmware Wcn6755 Firmware Wsa8810 Firmware Wsa8815 Firmware Wsa8830 Firmware Wsa8832 Firmware Wsa8835 Firmware

7.5

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

EUVD ID Assigned

Mar 14, 2026 - 17:04 euvd

EUVD-2025-16700

Analysis Generated

Mar 14, 2026 - 17:04 vuln.today

Added to CISA KEV

Oct 27, 2025 - 17:10 cisa

CISA KEV

CVE Published

Jun 03, 2025 - 06:15 nvd

HIGH 7.5

DescriptionNVD

Memory corruption while rendering graphics using Adreno GPU drivers in Chrome.

AnalysisAI

Qualcomm Adreno GPU drivers in Chrome contain a use-after-free vulnerability (CVE-2025-27038, CVSS 7.5) enabling memory corruption during graphics rendering. KEV-listed, this vulnerability can be triggered through Chrome on Android devices with Qualcomm chipsets, providing a kernel-level exploitation path from web content.

Technical ContextAI

When Chrome renders graphics on Android devices with Qualcomm Adreno GPUs, it interacts with the kernel-level GPU driver. The use-after-free in the Adreno driver can be triggered by crafted WebGL or Canvas operations in web content. Because the GPU driver runs in kernel context, successful exploitation provides kernel-level access — bypassing Android's app sandbox and all OS-level security.

RemediationAI

Apply Android security patch and update Chrome. Ensure auto-updates are enabled. Enterprise: enforce minimum patch levels via MDM.

More from same product – last 7 days

CVE-2026-44739 HIGH This Week

8.7 May 27

SQL injection in Pimcore's CustomReportsBundle (versions ≤ 12.3.5) lets an authenticated user holding the reports_config

CVE-2026-8842 MEDIUM This Month

6.4 May 27

Stored Cross-Site Scripting in the Google+ Link Name WordPress plugin (versions up to and including 1.0) allows authenti

CVE-2025-68712 MEDIUM This Month

5.5 May 27

Authentication bypass in SpSoft AppLock 7.9.40 for Android allows a local attacker with physical device access to circum

CVE-2026-7552 MEDIUM This Month

5.3 May 28

Authorization bypass in the Geo Mashup WordPress plugin (all versions ≤ 1.13.19) exposes sensitive plugin configuration

CVE-2025-68709 MEDIUM This Month

5.2 May 26

Arbitrary JavaScript execution in SailingLab AppLock 4.3.8 for Android is triggered by a malicious co-installed app send

CVE-2025-27038 vulnerability details – vuln.today

Back

Chrome CVE-2025-27038

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

RemediationAI

More from same product – last 7 days

Share

External POC / Exploit Code