Google disclosed a high-severity vulnerability (CVE-2026-21385) in an open-source Qualcomm Graphics component used in Android devices that has been exploited in the wild. The March 2026 Android update includes a patch for this flaw among 129 fixes, and Google notes indications of limited, targeted exploitation. #CVE-2026-21385 #Qualcomm
Keypoints
- CVE-2026-21385 is a high-severity integer overflow leading to a buffer over-read in a Qualcomm Graphics component that has been exploited in the wild.
- Qualcomm was notified by Googleβs Android Security team on December 18, 2025, and customers were informed on February 2, 2026.
- Googleβs March 2026 Android update patches 129 vulnerabilities, including a critical System remote code execution bug (CVE-2026-0006).
- Additional critical fixes address a Framework privilege escalation (CVE-2026-0047), a System DoS (CVE-2025-48631), and seven Kernel privilege escalation flaws (CVE-2024-43859, CVE-2026-0037, CVE-2026-0038, CVE-2026-0027, CVE-2026-0028, CVE-2026-0030, CVE-2026-0031).
- Two patch levels (2026-03-01 and 2026-03-05) give partners flexibility; the second level includes Kernel fixes and vendor patches from Arm, Imagination Technologies, MediaTek, Qualcomm, and Unisoc.
Read More: https://thehackernews.com/2026/03/google-confirms-cve-2026-21385-in.html