A high-severity Qualcomm graphics flaw (CVE-2026-21385) is being exploited in limited, targeted attacks against Android devices, with evidence suggesting possible nation-state or commercial spyware involvement. A second critical Android vulnerability (CVE-2026-0047) enables local privilege escalation but has not yet been seen exploited. Patches for both vulnerabilities are available, but their deployment to end-users depends on device manufacturers, creating a lag in consumer protection. The main topics covered are the active exploitation of a Qualcomm zero-day, the disclosure of a critical Android flaw, and the challenges of patching the Android ecosystem.
Qualcomm Zero-Day Exploited in Targeted Android Attacks
The exploitation activity against CVE-2026-21385, a high-severity memory corruption flaw, could be tied to commercial spyware or nation-state threat groups.
A new Qualcomm bug has been exploited in limited and targeted attacks against vulnerable Android devices.
Google published its monthly Android security bulletin on March 2 with, as per usual, a number of vulnerabilities affecting Android devices. Among the more than 100 CVEs listed, two in particular stand out.
One is CVE-2026-21385, a high severity vulnerability in Qualcomm's graphics kernel, which affects a wide range of chipsets. Though few details are available, it's an integer overflow issue that requires local access to exploit. In its own bulletin, Qualcomm describes it as "Memory corruption while using alignments for memory allocation." The flaw, which received a CVSS score of 7.8, was added to the Cybersecurity and Infrastructure Security Agency's (CISA) Known Exploited Vulnerabilities (KEV) catalog on Monday.
Possible Spyware Attack?
The reason CVE-2026-21385 stands out is that Google said in the Android bulletin, "There are indications that CVE-2026-21385 may be under limited, targeted exploitation." It is unclear what "limited and targeted exploitation" means, and Dark Reading contacted both Google and Qualcomm for additional information.
However, Adam Boynton, senior security strategy manager at endpoint security vendor Jamf, says that while one should be careful about speculating, this "is the specific language Google uses when activity is too narrow to be criminal infrastructure but too deliberate to be opportunistic." As in, possibly a nation-state actor or commercial surveillance vendor.
"CVE-2024-43047 — another Qualcomm zero-day — used the same language when it was disclosed, and it was later tied to commercial spyware tooling via Amnesty International's Security Lab," Boynton says. "That's not confirmation of the same here, but the profile is consistent. We don't know who is behind this. But the way Google and Qualcomm are describing it tells you something about what they think they're looking at."
The other vulnerability of note this month is CVE-2026-0047, a critical local privilege escalation flaw in Android's System component "that could lead to remote code execution with no additional execution privileges needed," the bulletin read. No user interaction is needed, either. It's caused by a missing permission check in dumpBitmapsProto of ActivityManagerService.java.
"The severity assessment is based on the effect that exploiting the vulnerability would possibly have on an affected device, assuming the platform and service mitigations are turned off for development purposes or if successfully bypassed," Google warned.
Boynton says the fact that an attacker already needs to be on a device to use it offers a meaningful barrier to attack, hence why it likely hasn't been exploited in the wild just yet. It would be used as part of a chained attack rather than a standalone one.
"Someone gets initial access through a phishing link, a malicious app, or an RCE like CVE-2026-0006, and then uses the escalation to go deeper and persist," he says. "The question isn't really whether it will be exploited. It's whether it will be visible when it is. These chained techniques are harder to attribute and often only surface in post-incident forensics, long after the damage is done."
The Complexities of Patching Android Flaws
Patches for CVE-2026-21385 are currently available, and Qualcomm says they're being shared with relevant OEMs, "who have been notified and strongly recommended to deploy those patches on released devices as soon as possible."
Patches are also available for CVE-2026-0047 via the Android Open Source Project (AOSP).
One issue to consider is that Android flaws, particularly like the Qualcomm one, are beholden to OEMs at the consumer level. This, as Boynton points out, means that consumers are reliant on manufacturers (that aren't necessarily Google or Qualcomm) to fix an impacted device with a patch, even if the patch was released at disclosure. That lag matters when vulnerabilities are being exploited faster than ever.
As a result, Qualcomm, in its bulletin, urged customers to "Please contact the device manufacturer for information on the patching status of released devices."
Meridiano
