Google on Monday revealed that a high-severity security flaw affecting an open-source Qualcomm component used in Android devices was exploited.
The vulnerability in question is CVE-2026-21385 (CVSS score: 7.8), which is a buffer overread in the graphics component.
“Adding user-specified data without checking available buffer space will corrupt memory,” Qualcomm said in the advisory, describing this as an integer overflow.
The chipmaker said the flaw was reported to it through Google’s Android security team on December 18, 2025, and customers were notified of the security flaw on February 2, 2026.
At this time, details about how this vulnerability is being exploited in the wild are unknown. However, Google acknowledged in its monthly Android security bulletin that there are “indications that CVE-2026-21385 may be undergoing limited and targeted exploitation.”
Google’s March 2026 update includes patches for a total of 129 vulnerabilities, including a critical flaw in a system component that could allow remote code execution without additional privileges or user interaction (CVE-2026-0006). In contrast, Google addressed one Android vulnerability in January 2026 and none last month.
Google also patched several bugs that were rated critical. Framework Privilege Escalation Bug (CVE-2026-0047), System Denial of Service (DoS) (CVE-2025-48631), Seven Privilege Escalation Flaws in Kernel Components (CVE-2024-43859, CVE-2026-0037, CVE-2026-0038, CVE-2026-0027, CVE-2026-0028, CVE-2026-0030, and CVE-2026-0031).
The Android Security Bulletin includes two patch levels (2026-03-01 and 2026-03-05), giving Android partners the flexibility to quickly address common vulnerabilities on a variety of devices.
The second patch level includes kernel component fixes as well as fixes for Arm, Imagination Technologies, MediaTek, Qualcomm, and Unisoc.
Source link
