Google March Android Security Bulletin Patches 129 Flaws Including Actively Exploited Qualcomm Display Zero-Day
Google released the March 2026 Android Security Bulletin, issuing fixes for 129 vulnerabilities across the Android ecosystem and shipping two patch levels (2026-03-01 and 2026-03-05) to help OEMs stage platform and hardware-specific updates. The most urgent issue is CVE-2026-21385, a high-severity, actively exploited zero-day in an open-source Qualcomm display component used in Android devices with affected Qualcomm/Snapdragon chipsets.
Reporting indicates CVE-2026-21385 is a memory-corruption flaw caused by an integer overflow/wraparound condition that can lead to memory corruption during allocation/alignment in display drivers; successful exploitation could enable device compromise (e.g., arbitrary code execution and/or privilege escalation) and bypass security boundaries. Google and Qualcomm both acknowledged limited, targeted exploitation in the wild, and one account attributes discovery/confirmation of exploitation to Google’s Threat Analysis Group (TAG); devices not updated to at least patch level 2026-03-05 remain exposed, making rapid patch deployment and user update compliance the primary risk-reduction actions.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
7 events from the most recent confirmed update back to the earliest known activity.
Google publishes AOSP patch links in bulletin update
Google updated the March 2026 Android Security Bulletin to add AOSP source patch links, following its notice that source code patches would be released within 48 hours of initial publication. The bulletin update was recorded on March 6, 2026.
CISA adds CVE-2026-21385 to the KEV catalog
CISA added CVE-2026-21385 to its Known Exploited Vulnerabilities catalog after Google's disclosure of active exploitation. The agency set a remediation deadline of 2026-03-24 for U.S. Federal Civilian Executive Branch agencies.
March Android patches begin shipping to Pixel and partners
Google made the March 2026 Android fixes available, with Pixel devices receiving updates immediately and OEM partners able to roll out patches on their own schedules. The split patch levels were intended to help vendors deploy fixes across different device models and component sets.
Google discloses in-the-wild exploitation of CVE-2026-21385
In the March bulletin, Google disclosed that CVE-2026-21385, a high-severity Qualcomm open-source display/graphics flaw, had seen limited, targeted exploitation before public disclosure. The bug was described as an integer overflow/wraparound or related memory-safety issue leading to memory corruption.
Google publishes March 2026 Android Security Bulletin
Google released the March 2026 Android Security Bulletin with patch levels 2026-03-01 and 2026-03-05, addressing 129 vulnerabilities across Android platform, kernel, and vendor components. The bulletin said devices on patch level 2026-03-05 or later are protected against all listed issues.
Qualcomm notifies customers about the CVE-2026-21385 flaw
Qualcomm informed customers in early February 2026 about CVE-2026-21385, a memory-corruption issue affecting Qualcomm display/graphics components used in Android devices. Reports said the flaw impacts a large number of Qualcomm chipsets.
Google privately reports CVE-2026-21385 to Qualcomm
Google's Android security team/Threat Analysis Group reported the Qualcomm display/graphics flaw CVE-2026-21385 to Qualcomm in December 2025, starting the vendor remediation process. Multiple reports place this notification on or around December 18, 2025.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
10 references tracked. Mallory keeps watching after this page renders.
CISA warns of Qualcomm Chipsets Memory Corruption Vulnerability Exploited in Attacks
cybersecuritynews.com
Open sourceGoogle patches 129 Android vulnerabilities, including exploited zero-day | brief | SC Media
scworld.com
Open sourceAndroid devices hit by exploited Qualcomm flaw CVE-2026-21385
securityaffairs.com
Open sourceGoogle Confirms CVE-2026-21385 in Qualcomm Android Component Exploited
thehackernews.com
Open sourceAndroid gets patches for Qualcomm zero-day exploited in attacks
bleepingcomputer.com
Open sourceQualcomm Zero-Day Exploited in Targeted Android Attacks
darkreading.com
Open sourceAndroid’s Biggest Security Update Since 2018 - And an Exploit Already in the Wild - TheCyberThrone
thecyberthrone.in
Open sourceAndroid Security Bulletin-March 2026 | Android Open Source Project
source.android.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Android March Security Update Patches Actively Exploited Qualcomm Display Zero-Day
Google’s March Android security update addressed **129 vulnerabilities**, including one **actively exploited** high-severity memory-corruption flaw in an open-source **Qualcomm display component** tracked as **CVE-2026-21385**. Google warned the issue “may be under limited, targeted exploitation,” and reporting indicated Qualcomm marked the vulnerability as exploited; Qualcomm stated it provided fixes to customers in **January 2026** and urged end users to apply OEM-delivered device updates as they become available. Separately, the Canadian Centre for Cyber Security issued multiple vendor rollups and advisories on March 2, 2026, including an **Android monthly rollup (AV26-187)** pointing organizations to the Android Security Bulletin for patching guidance. Additional Canadian advisories covered unrelated vulnerability sets in **Veeam Kasten for Kubernetes (AV26-188)**, **VMware Tanzu products (AV26-186)**, **Red Hat (including Linux kernel updates) (AV26-184)**, **CISA ICS advisories for multiple OT/IoT products (AV26-183)**, **Dell infrastructure products (AV26-181)**, and **IBM enterprise software (AV26-180)**; these are general patch-notification items and do not provide details tied to the Android/Qualcomm zero-day beyond directing readers to apply vendor updates.
Mar 21, 2026
Google Patches Android Zero-Day and High-Severity XR Privilege Escalation Flaws
Google has issued its June 2026 Android security updates to fix **113 vulnerabilities**, including **18 critical** flaws and a zero-day tracked as `CVE-2025-48595` that the company said may be under limited, targeted exploitation. The zero-day affects the **Android Framework** and stems from an integer overflow memory-management issue that can enable code execution and potentially full device compromise. The update also addresses vulnerabilities in third-party components from **Qualcomm, MediaTek, and Unisoc**, and Google said devices running Android 10 or later can receive relevant fixes through Google Play services, with patch levels dated **2026-06-05** or later remediating the documented issues. Google also published its June 2026 **XR Security Bulletin**, disclosing a high-severity flaw, `CVE-2026-0072`, in `InputMethodManagerService`. The bug is caused by a missing permission check in `addInputMethodListener` and can allow **local elevation of privilege** without additional execution privileges or user interaction; Google said it could also permit input text to be read without permission. The XR issue is fixed with security patch level **2026-06-01** or later, while full XR protection requires the broader Android June 2026 patch level as well, underscoring the need for enterprises to accelerate deployment of both platform and device-vendor updates.
Jun 3, 2026
Google Patches Android Zero-Interaction DoS and Zero-Click adbd RCE Flaws
Google issued Android security updates to fix multiple high-severity flaws, including **CVE-2026-0049**, a critical Android Framework vulnerability that can trigger a local denial-of-service with no user interaction and no elevated privileges, and **CVE-2026-0073**, a critical remote code execution bug in the Android System component tied to the Android Debug Bridge Daemon (`adbd`). The `adbd` flaw affects Android 14, 15, 16, and `16-qpr2`, and under proximal or adjacent network conditions could allow shell-level remote code execution on a target device without user action. The April bulletin also addressed **CVE-2025-48651**, a high-severity StrongBox issue affecting hardware-backed key storage implementations from Google, NXP, STMicroelectronics, and Thales, with fixes split between the `2026-04-01` and `2026-04-05` patch levels. Google said the `adbd` issue is remediated by the `2026-05-01` security patch level or later and noted that, because `adbd` is delivered through Project Mainline, mitigations can reach Android 10 and later devices faster through Google Play system updates; organizations were urged to accelerate deployment of the April and May patches across managed mobile fleets.
May 25, 2026