Google disclosed an actively exploited zero-day memory-corruption vulnerability, CVE-2026-21385, in an open-source Qualcomm display component for Android devices that Qualcomm says affects 234 chipsets and may be under limited, targeted exploitation. Google’s March security update also patched 129 Android defects — the largest single-month total since April 2018 — and both Google and Qualcomm urge users and device makers to apply fixes as they become available. #CVE-2026-21385 #Qualcomm
Keypoints
- CVE-2026-21385 is a high-severity memory-corruption zero-day in an open-source Qualcomm display component that may be under limited, targeted exploitation.
- Qualcomm reports the defect affects 234 chipsets and says fixes were made available to customers in January 2026.
- Google’s March Android security update addressed 129 vulnerabilities, the highest monthly total since April 2018.
- The bulletin includes two patch levels (2026-03-01 and 2026-03-05) and device makers must push customized updates on their own schedules.
- Google credited its Threat Analysis Group for coordinated disclosure and will publish source code for the addressed fixes to the Android Open Source Project.
Read More: https://cyberscoop.com/android-security-update-march-2026/