Android March Security Update Patches Actively Exploited Qualcomm Display Zero-Day
Google’s March Android security update addressed 129 vulnerabilities, including one actively exploited high-severity memory-corruption flaw in an open-source Qualcomm display component tracked as CVE-2026-21385. Google warned the issue “may be under limited, targeted exploitation,” and reporting indicated Qualcomm marked the vulnerability as exploited; Qualcomm stated it provided fixes to customers in January 2026 and urged end users to apply OEM-delivered device updates as they become available.
Separately, the Canadian Centre for Cyber Security issued multiple vendor rollups and advisories on March 2, 2026, including an Android monthly rollup (AV26-187) pointing organizations to the Android Security Bulletin for patching guidance. Additional Canadian advisories covered unrelated vulnerability sets in Veeam Kasten for Kubernetes (AV26-188), VMware Tanzu products (AV26-186), Red Hat (including Linux kernel updates) (AV26-184), CISA ICS advisories for multiple OT/IoT products (AV26-183), Dell infrastructure products (AV26-181), and IBM enterprise software (AV26-180); these are general patch-notification items and do not provide details tied to the Android/Qualcomm zero-day beyond directing readers to apply vendor updates.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
Canadian Centre for Cyber Security urges Android users to apply updates
On March 2, 2026, the Canadian Centre for Cyber Security issued an advisory directing users and administrators to review Google’s Android bulletin and apply the necessary updates. The advisory highlighted the need to remediate the disclosed Android vulnerabilities.
Google publishes March 2026 Android security bulletin
On March 2, 2026, Google released its March 2026 Android security bulletin addressing 129 vulnerabilities across two patch levels. The bulletin included CVE-2026-21385, which Google said may be under limited, targeted exploitation.
Qualcomm notifies customers about CVE-2026-21385
Qualcomm said it notified customers about CVE-2026-21385 on February 2, 2026. The flaw is a high-severity Android-related memory-corruption issue in a Qualcomm display component.
Qualcomm makes fixes for CVE-2026-21385 available to customers
Qualcomm said patches for CVE-2026-21385 were made available to its customers in January 2026, ahead of broader customer notification. The vulnerability was later described as being under limited, targeted exploitation.
Google reports Qualcomm display flaw CVE-2026-21385 to Qualcomm
Google’s Android security team reported CVE-2026-21385, a high-severity memory-corruption flaw in an open-source Qualcomm display component, to Qualcomm. The flaw was later described as affecting 234 Qualcomm chipsets.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
Google addresses actively exploited Qualcomm zero-day in fresh batch of 129 Android vulnerabilities | CyberScoop
cyberscoop.com
Open sourceAndroid security advisory - March 2026 monthly rollup (AV26-187) - Canadian Centre for Cyber Security
cyber.gc.ca
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Google March Android Security Bulletin Patches 129 Flaws Including Actively Exploited Qualcomm Display Zero-Day
Google released the March 2026 *Android Security Bulletin*, issuing fixes for **129 vulnerabilities** across the Android ecosystem and shipping two patch levels (`2026-03-01` and `2026-03-05`) to help OEMs stage platform and hardware-specific updates. The most urgent issue is **CVE-2026-21385**, a **high-severity, actively exploited** zero-day in an open-source **Qualcomm display** component used in Android devices with affected Qualcomm/Snapdragon chipsets. Reporting indicates CVE-2026-21385 is a **memory-corruption** flaw caused by an **integer overflow/wraparound** condition that can lead to memory corruption during allocation/alignment in display drivers; successful exploitation could enable device compromise (e.g., arbitrary code execution and/or privilege escalation) and bypass security boundaries. Google and Qualcomm both acknowledged **limited, targeted exploitation in the wild**, and one account attributes discovery/confirmation of exploitation to Google’s **Threat Analysis Group (TAG)**; devices not updated to at least patch level `2026-03-05` remain exposed, making rapid patch deployment and user update compliance the primary risk-reduction actions.
Mar 21, 2026
Early March 2026 Vendor Security Advisories and Patch Releases Across Enterprise, Mobile, and ICS Products
Multiple vendors issued security advisories and patch releases in late February and early March 2026, prompting coordinated update guidance from national and regional CERTs. The Canadian Centre for Cyber Security highlighted updates for **Django** (fixed in `4.2.29`, `5.2.12`, `6.0.3`), **Samsung mobile devices** (March 2026 security update), **Qualcomm** (March 2026 monthly bulletin), **Veeam Kasten for Kubernetes / Kasten K10**, **VMware Tanzu** components (including *Greenplum* and *RabbitMQ on Kubernetes*), and **Red Hat** advisories including **Linux kernel** updates across multiple RHEL-related platforms. Industrial and infrastructure-facing products were also covered via **CISA ICS** advisories spanning a broad set of vendors and solutions (including EV charging ecosystems, building management, cameras, and DCS/SCADA platforms such as **Schneider Electric EcoStruxure Building Operation Workstation** and **Yokogawa CENTUM VP**), with guidance to apply mitigations and updates where available. Additional enterprise patch guidance included **Dell** advisories affecting *PowerStore T* and *PowerEdge* server lines (including AMD-based models and NVIDIA networking/DOCA-related components), and **IBM** advisories across a wide portfolio (including *App Connect Enterprise*, *CICS TX*, *License Metric Tool*, *Maximo*, *Sterling Secure Proxy*, *Terracotta*, *QRadar*, and others). HKCERT separately summarized **Samsung** vulnerabilities impacting Android devices and Exynos chipsets, listing multiple CVEs (e.g., `CVE-2024-31328` and numerous 2025-series CVEs) with potential impacts including **RCE**, **EoP**, **information disclosure**, and **DoS**.
Mar 21, 2026
Google Patches Android Zero-Day and High-Severity XR Privilege Escalation Flaws
Google has issued its June 2026 Android security updates to fix **113 vulnerabilities**, including **18 critical** flaws and a zero-day tracked as `CVE-2025-48595` that the company said may be under limited, targeted exploitation. The zero-day affects the **Android Framework** and stems from an integer overflow memory-management issue that can enable code execution and potentially full device compromise. The update also addresses vulnerabilities in third-party components from **Qualcomm, MediaTek, and Unisoc**, and Google said devices running Android 10 or later can receive relevant fixes through Google Play services, with patch levels dated **2026-06-05** or later remediating the documented issues. Google also published its June 2026 **XR Security Bulletin**, disclosing a high-severity flaw, `CVE-2026-0072`, in `InputMethodManagerService`. The bug is caused by a missing permission check in `addInputMethodListener` and can allow **local elevation of privilege** without additional execution privileges or user interaction; Google said it could also permit input text to be read without permission. The XR issue is fixed with security patch level **2026-06-01** or later, while full XR protection requires the broader Android June 2026 patch level as well, underscoring the need for enterprises to accelerate deployment of both platform and device-vendor updates.
Jun 3, 2026