Google Patches Qualcomm Zero-Day Exploited in Targeted Android Attacks as March Update Fixes 129 Vulnerabilities
Google's March 2026 Android security update addresses 129 vulnerabilities including an actively exploited Qualcomm graphics flaw affecting 235 chipsets and a critical remote code execution bug in Android 16.
Google released its March 2026 Android security bulletin on March 3, patching 129 vulnerabilities across the Android ecosystem. The update includes a fix for CVE-2026-21385, a high-severity Qualcomm graphics flaw that the company confirmed is under active exploitation, as well as a critical remote code execution vulnerability affecting Android 16.
What We Know
CVE-2026-21385 is an integer overflow vulnerability in Qualcomm’s Display subcomponent that allows local attackers to trigger memory corruption through a buffer over-read. The flaw carries a CVSS score of 7.8 and affects 235 Qualcomm chipsets, significantly broadening its potential exposure across Android devices worldwide.
Google acknowledged in its bulletin that “there are indications that CVE-2026-21385 may be under limited, targeted exploitation,” though the company has not disclosed technical details about the observed attacks or attributed them to any specific threat actor. The vulnerability was reported to Qualcomm by Google’s Android Security team on December 18, 2025, and Qualcomm notified its customers on February 2, 2026.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026-21385 to its Known Exploited Vulnerabilities catalog on March 3, requiring Federal Civilian Executive Branch agencies to apply the fix by March 24, 2026.
Beyond the Qualcomm zero-day, the March bulletin addresses several other high-impact flaws. The most severe is CVE-2026-0006, a critical remote code execution vulnerability in the System component’s media codecs that requires no user interaction and no additional execution privileges. This flaw currently affects only Android 16.
The update also patches seven critical kernel-level elevation of privilege vulnerabilities in pKVM (CVE-2026-0037, CVE-2026-0027, CVE-2026-0028, CVE-2026-0030, and CVE-2026-0031 among them), as well as a critical kernel F2FS flaw tracked as CVE-2024-43859.
The patches span multiple chip vendors: Qualcomm accounts for 14 CVEs, MediaTek for 20, Imagination Technologies for 7, Unisoc for 7, and Arm Mali for 1. The Framework component alone received fixes for more than 30 vulnerabilities, mostly high-severity privilege escalation flaws.
Google is distributing the fixes across two patch levels: 2026-03-01 covers Framework and System vulnerabilities, while 2026-03-05 adds kernel components and third-party vendor fixes. Devices running Android 10 and later are also eligible for some fixes delivered through Google Play system updates.
What We Don’t Know
Google has not disclosed who is behind the targeted exploitation of CVE-2026-21385 or which specific device populations were affected. The company’s use of “limited, targeted exploitation” typically indicates attacks by sophisticated actors — often state-sponsored groups or commercial spyware vendors — but no formal attribution has been made. It also remains unclear whether the vulnerability was exploited as part of a broader exploit chain or used in isolation.
Analysis
The March 2026 bulletin continues a pattern of Qualcomm component vulnerabilities surfacing in targeted Android attacks. The 235-chipset blast radius of CVE-2026-21385 is notable, though the actual risk depends on which devices have received the patch. Android’s fragmented update ecosystem means many devices — particularly those from smaller manufacturers or older models no longer receiving updates — may remain exposed well beyond CISA’s March 24 remediation deadline. Organizations managing Android device fleets should prioritize deploying the 2026-03-05 patch level, which includes the Qualcomm fix alongside all other March corrections.