Google disclosed a high-severity security flaw (CVE-2026-21385) in a Qualcomm graphics component for Android that is already being exploited in limited, targeted attacks. The March 2026 Android security update patches this and 128 other vulnerabilities, including a critical remote code execution bug. The main topics covered are the actively exploited vulnerability, the broader set of patches in the update, and the inclusion of the flaw in a U.S. government catalog mandating remediation.
Google on Monday disclosed that a high-severity security flaw impacting an open-source Qualcomm component used in Android devices has been exploited in the wild.
The vulnerability in question is CVE-2026-21385 (CVSS score: 7.8), a buffer over-read in the Graphics component.
"Memory corruption when adding user-supplied data without checking available buffer space," Qualcomm said in an advisory, describing it as an integer overflow.
The chipmaker said the flaw was reported to it through Google's Android Security team on December 18, 2025. Customers were notified of the security defect on February 2, 2026.
There are currently no details on how the vulnerability is being exploited in the wild. However, Google acknowledged in its monthly Android security bulletin that "there are indications that CVE-2026-21385 may be under limited, targeted exploitation."
Google's March 2026 update contains patches for a total of 129 vulnerabilities, including a critical flaw in the System component (CVE-2026-0006) that could lead to remote code execution without requiring any additional privileges or user interaction. In contrast, Google addressed one Android vulnerability in January 2026 and none last month.
Also patched by Google are multiple critical-rated bugs: a privilege escalation bug in Framework (CVE-2026-0047), a denial-of-service (DoS) in System (CVE-2025-48631), and seven privilege escalation flaws in Kernel components (CVE-2024-43859, CVE-2026-0037, CVE-2026-0038, CVE-2026-0027, CVE-2026-0028, CVE-2026-0030, and CVE-2026-0031).
The Android security bulletin includes two patch levels – 2026-03-01 and 2026-03-05 – to give Android partners the flexibility to address common vulnerabilities on different devices more quickly.
The second patch level includes fixes for Kernel components, as well as those from Arm, Imagination Technologies, MediaTek, Qualcomm, and Unisoc.
Update
CVE-2026-21385 has been added to the U.S. Cybersecurity and Infrastructure Security Agency's (CISA) Known Exploited Vulnerabilities (KEV) catalog as of March 3, 2026, requiring Federal Civilian Executive Branch (FCEB) agencies to apply the fixes by March 24, 2026.
Meridiano
