Google on Monday disclosed {that a} high-severity security flaw impacting an open-source Qualcomm part utilized in Android gadgets has been exploited within the wild.
The vulnerability in query is CVE-2026-21385 (CVSS rating: 7.8), a buffer over-read within the Graphics part.
“Reminiscence corruption when including user-supplied information with out checking accessible buffer house,” Qualcomm stated in an advisory, describing it as an integer overflow.
The chipmaker stated the flaw was reported to it by Google’s Android Safety staff on December 18, 2025. Prospects had been notified of the security defect on February 2, 2026.
There are at the moment no particulars on how the vulnerability is being exploited within the wild. Nonetheless, Google acknowledged in its month-to-month Android security bulletin that “there are indications that CVE-2026-21385 could also be beneath restricted, focused exploitation.”
Google’s March 2026 replace incorporates patches for a complete of 129 vulnerabilities, together with a important flaw within the System part (CVE-2026-0006) that might result in distant code execution with out requiring any extra privileges or person interplay. In distinction, Google addressed one Android vulnerability in January 2026 and none final month.
Additionally patched by Google are a number of critical-rated bugs: a privilege escalation bug in Framework (CVE-2026-0047), a denial-of-service (DoS) in System (CVE-2025-48631), and 7 privilege escalation flaws in Kernel elements (CVE-2024-43859, CVE-2026-0037, CVE-2026-0038, CVE-2026-0027, CVE-2026-0028, CVE-2026-0030, and CVE-2026-0031).
The Android security bulletin contains two patch ranges – 2026-03-01 and 2026-03-05 – to offer Android companions the pliability to deal with frequent vulnerabilities on totally different gadgets extra shortly.
The second patch stage contains fixes for Kernel elements, in addition to these from Arm, Creativeness Applied sciences, MediaTek, Qualcomm, and Unisoc.
