Google March Android Security Bulletin Patches 129 Flaws Including Actively Exploited Qualcomm Display Zero-Day
Google released the March 2026 Android Security Bulletin, issuing fixes for 129 vulnerabilities across the Android ecosystem and shipping two patch levels (2026-03-01 and 2026-03-05) to help OEMs stage platform and hardware-specific updates. The most urgent issue is CVE-2026-21385, a high-severity, actively exploited zero-day in an open-source Qualcomm display component used in Android devices with affected Qualcomm/Snapdragon chipsets.
Reporting indicates CVE-2026-21385 is a memory-corruption flaw caused by an integer overflow/wraparound condition that can lead to memory corruption during allocation/alignment in display drivers; successful exploitation could enable device compromise (e.g., arbitrary code execution and/or privilege escalation) and bypass security boundaries. Google and Qualcomm both acknowledged limited, targeted exploitation in the wild, and one account attributes discovery/confirmation of exploitation to Google’s Threat Analysis Group (TAG); devices not updated to at least patch level 2026-03-05 remain exposed, making rapid patch deployment and user update compliance the primary risk-reduction actions.
Timeline
Mar 6, 2026
Google publishes AOSP patch links in bulletin update
Google updated the March 2026 Android Security Bulletin to add AOSP source patch links, following its notice that source code patches would be released within 48 hours of initial publication. The bulletin update was recorded on March 6, 2026.
Mar 3, 2026
CISA adds CVE-2026-21385 to the KEV catalog
CISA added CVE-2026-21385 to its Known Exploited Vulnerabilities catalog after Google's disclosure of active exploitation. The agency set a remediation deadline of 2026-03-24 for U.S. Federal Civilian Executive Branch agencies.
Mar 2, 2026
March Android patches begin shipping to Pixel and partners
Google made the March 2026 Android fixes available, with Pixel devices receiving updates immediately and OEM partners able to roll out patches on their own schedules. The split patch levels were intended to help vendors deploy fixes across different device models and component sets.
Mar 2, 2026
Google discloses in-the-wild exploitation of CVE-2026-21385
In the March bulletin, Google disclosed that CVE-2026-21385, a high-severity Qualcomm open-source display/graphics flaw, had seen limited, targeted exploitation before public disclosure. The bug was described as an integer overflow/wraparound or related memory-safety issue leading to memory corruption.
Mar 2, 2026
Google publishes March 2026 Android Security Bulletin
Google released the March 2026 Android Security Bulletin with patch levels 2026-03-01 and 2026-03-05, addressing 129 vulnerabilities across Android platform, kernel, and vendor components. The bulletin said devices on patch level 2026-03-05 or later are protected against all listed issues.
Feb 1, 2026
Qualcomm notifies customers about the CVE-2026-21385 flaw
Qualcomm informed customers in early February 2026 about CVE-2026-21385, a memory-corruption issue affecting Qualcomm display/graphics components used in Android devices. Reports said the flaw impacts a large number of Qualcomm chipsets.
Dec 18, 2025
Google privately reports CVE-2026-21385 to Qualcomm
Google's Android security team/Threat Analysis Group reported the Qualcomm display/graphics flaw CVE-2026-21385 to Qualcomm in December 2025, starting the vendor remediation process. Multiple reports place this notification on or around December 18, 2025.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Organizations
Sources
5 more from sources like help net security, bleeping computer, cyberthrone, dark reading and android product advisories
Related Stories
Android March Security Update Patches Actively Exploited Qualcomm Display Zero-Day
Google’s March Android security update addressed **129 vulnerabilities**, including one **actively exploited** high-severity memory-corruption flaw in an open-source **Qualcomm display component** tracked as **CVE-2026-21385**. Google warned the issue “may be under limited, targeted exploitation,” and reporting indicated Qualcomm marked the vulnerability as exploited; Qualcomm stated it provided fixes to customers in **January 2026** and urged end users to apply OEM-delivered device updates as they become available. Separately, the Canadian Centre for Cyber Security issued multiple vendor rollups and advisories on March 2, 2026, including an **Android monthly rollup (AV26-187)** pointing organizations to the Android Security Bulletin for patching guidance. Additional Canadian advisories covered unrelated vulnerability sets in **Veeam Kasten for Kubernetes (AV26-188)**, **VMware Tanzu products (AV26-186)**, **Red Hat (including Linux kernel updates) (AV26-184)**, **CISA ICS advisories for multiple OT/IoT products (AV26-183)**, **Dell infrastructure products (AV26-181)**, and **IBM enterprise software (AV26-180)**; these are general patch-notification items and do not provide details tied to the Android/Qualcomm zero-day beyond directing readers to apply vendor updates.
1 months ago
Android December 2025 Security Update Addresses Critical DoS and Two Exploited Zero-Days
Google released the December 2025 Android Security Bulletin, patching 107 vulnerabilities, including a critical remote Denial of Service (DoS) flaw (CVE-2025-48631) in the Android Framework and two zero-day vulnerabilities (CVE-2025-48633 and CVE-2025-48572) that are reportedly under active exploitation. The zero-days allow for information disclosure and elevation of privilege, affecting Android versions 13 through 16, and are believed to be targeted in limited attacks. The DoS vulnerability enables remote attackers to crash or disable devices without requiring user interaction or additional execution privileges. The update is distributed in two patch levels (2025-12-01 and 2025-12-05), covering both core Android components and vendor-specific issues. Google’s disclosure highlights the ongoing threat posed by actively exploited vulnerabilities in the Android ecosystem and underscores the importance of timely patching by device manufacturers and users. The December update represents one of the largest patch releases of the year, following a period of irregular vulnerability reporting from Google.
1 months ago
Hardware-Level Android Chip Vulnerabilities Enable Device Compromise
Security researchers and vendors reported **hardware/firmware-level vulnerabilities in Android chip components** that can enable deep device compromise beyond typical app-layer defenses. Ledger’s Donjon research described a flaw involving **MediaTek chip boot-chain behavior and Trustonic’s trusted execution environment (TEE)** that allowed rapid physical compromise: by connecting an affected phone to a laptop over **USB**, attackers could allegedly brute-force the PIN, decrypt storage, and extract sensitive data including messages and **cryptocurrency wallet seed phrases** (e.g., Kraken Wallet, Phantom). The researchers estimated the affected MediaTek chips appear in roughly **one-quarter of Android phones**, disproportionately in lower-cost devices. Separately, Zimperium reported active exploitation of a **Qualcomm graphics zero-day** (**CVE-2026-21385**) in targeted Android attacks, describing a memory-corruption condition that could enable code execution or unauthorized access across “hundreds” of Qualcomm chipsets. A ZDNET article on Android’s *Repair Mode* primarily provides user guidance and anecdotal troubleshooting around a buggy March update/SIM recognition issue; it does not substantively address the chip-level vulnerabilities described in the other reporting and is best treated as tangential consumer advice rather than incident or vulnerability intelligence.
1 months ago