Google has released security updates addressing 129 Android vulnerabilities, including an actively exploited zero-day flaw (CVE-2026-21385) in a Qualcomm graphics component. This high-severity vulnerability allows local attackers to trigger memory corruption and affects 235 Qualcomm chipsets. The updates also patch 10 critical vulnerabilities in system components that could enable remote code execution without user interaction. While Google Pixel devices receive updates immediately, other manufacturers may delay patches as they adapt them for specific hardware.
Google has released security updates to patch 129 Android security vulnerabilities, including an actively exploited zero-day flaw in a Qualcomm display component.
"There are indications that CVE-2026-21385 may be under limited, targeted exploitation," the company said on Monday in its March 2025 Android Security Bulletin.
While Google didn't provide any further information on the attacks currently targeting this vulnerability, Qualcomm revealed in a separate security advisory issued on February 3 that the flaw is an integer overflow or wraparound in the Graphics subcomponent that local attackers can exploit to trigger memory corruption.
Qualcomm says it was alerted to this high-severity vulnerability on December 18 by Google's Android Security team, and it notified customers on February 2. According to its February advisory, which has yet to flag CVE-2026-21385 as exploited in attacks, the security flaw affects 235 Qualcomm chipsets.
"We commend the researchers from Google’s Threat Analysis Group for using coordinated disclosure practices," a Qualcomm spokesperson told BleepingComputer. "Regarding their GPU-related research, fixes were made available to our customers in January 2026. We encourage end users to apply security updates as they become available from device makers."
With this month's Android security updates, Google fixed 10 critical security vulnerabilities in the System, Framework, and Kernel components that attackers exploit to gain remote code execution, elevate privileges, or trigger denial-of-service conditions.
"The most severe of these issues is a critical security vulnerability in the System component that could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation," Google said.
Google issued two sets of patches: the 2026-03-01 and 2026-03-05 security patch levels. The latter bundles all fixes from the first batch, as well as patches for closed-source third-party and kernel subcomponents, which may not apply to all Android devices.
While Google Pixel devices receive security updates immediately, other vendors often take longer to test and tweak them for specific hardware configurations.
A Google spokesperson was not immediately available for comment when contacted by BleepingComputer regarding the CVE-2026-21385 attacks and their targets.
Google released patches for two other high-severity zero-day vulnerabilities (CVE-2025-48633 and CVE-2025-48572) in December, both of which were also tagged as "under limited, targeted exploitation."
Update March 03, 13:42 EST: Added Qualcomm statement.
Red Report 2026: Why Ransomware Encryption Dropped 38%
Malware is getting smarter. The Red Report 2026 reveals how new threats use math to detect sandboxes and hide in plain sight.
Download our analysis of 1.1 million malicious samples to uncover the top 10 techniques and see if your security stack is blinded.
Meridiano
