US semiconductor company Qualcomm has warned about the active exploitation of three zero-day vulnerabilities in its Adreno GPU and Compute DSP drivers.

Tracked as CVE-2023-33106, CVE-2023-33107, and CVE-2023-33063, the three zero-days have been described as an input validation issue that could be used by a local app to elevate privileges. The vendor said it will provide more detailed information on the flaws at a later date.

The fourth vulnerability said to have been exploited by hackers is CVE-2022-22071, a use-after-free error in the Automotive Android OS that can lead to arbitrary code execution with elevated privileges.

The flaws were brought to Qualcomm's attention by Google's Threat Analysis Group (TAG) and Project Zero teams who suggested that they “may be under limited, targeted exploitation.”

Qualcomm’s disclosure comes on the heels of Arm’s security advisory about a zero-day flaw in the Mali GPU Kernel Driver actively exploited in the wild.

Tracked as CVE-2023-4211, the bug is a use-after-free error within Mali GPU Kernel Driver that can be used by a local application to execute arbitrary code with elevated privileges. The issue affects the following releases:

• Midgard GPU Kernel Driver: All versions from r12p0 - r32p0

• Bifrost GPU Kernel Driver: All versions from r0p0 - r42p0

• Valhall GPU Kernel Driver: All versions from r19p0 - r42p0

• Arm 5th Gen GPU Architecture Kernel Driver: All versions from r41p0 - r42p0

As in the above case, the vulnerability was discovered by Google’s TAG and Project Zero teams. The issue was fixed in Bifrost, Valhall and Arm 5th Gen GPU Architecture Kernel Driver r43p0.

In addition, Google released its monthly Android bulletin addressing multiple bugs, including CVE-2023-4863, a heap-based buffer overflow issue impacting the WebP image format in the Chrome web browser that was addressed last month.

Users are advised to apply updates from original equipment manufacturers (OEMs) as soon as they become available.