Chipmaker giant Qualcomm released a patch on Monday that fixed a range of vulnerabilities in dozens of chips, including one the company said it could use it as part of a hacking campaign.

Qualcomm quoted Google's threat analysis team, which investigated government-backed cyberattacks, saying the three flaws "may be under limited, targeted exploitation."

According to the company's announcement, Google's Android security team reported three zero weeks to Qualcomm in February (CVE-2025-21479, CVE-2025-21480, CVE-2025-21480 and CVE-2025-27038). Zero Day is a security vulnerability that software or hardware manufacturers are not aware of when discovered, making them extremely valuable to cybercriminals and government hackers.

Due to the open source and distribution nature of Android, patches provided by Qualcomm are now applied through device manufacturers, which means that despite available patches, some devices may still be vulnerable to weeks of vulnerability.

Qualcomm said in the announcement that the patch “has been updated in May (equipment manufacturers) with strong recommendations to deploy an impacted device as soon as possible”.

Google spokesman Ed Fernandez told TechCrunch that the company's pixel devices are not affected by these Qualcomm vulnerabilities.

When TechCrunch arrived, a Google Tag spokesperson did not immediately provide more information about the vulnerabilities and the situation where the tag was found.

Qualcomm did not respond to a request for comment.

Chipsets found in mobile devices are common targets for hackers and zero-day developers, as chips often have extensive access to the rest of the operating system, meaning hackers can jump from there to other parts of the device that may hold sensitive data.

Over the past few months, there have been documented cases of exploitation of Qualcomm chipsets. Last year, Amnesty International identified Qualcomm's zero-day use by Serbian authorities, possibly using Cellebrite, a maker of phone unlocking tools.