129 Patches, One Actively Exploited
Google released its March 2026 Android security bulletin on March 3, patching a total of 129 vulnerabilities across core Android components and hardware-specific drivers. The most urgent fix addresses an actively exploited zero-day that affects hundreds of millions of Android devices worldwide.
CVE-2026-21385: The Qualcomm Zero-Day
The critical fix targets CVE-2026-21385, a high-severity zero-day vulnerability in an open-source Qualcomm Display component that Google confirmed is "under limited, targeted exploitation" in the wild.
| Detail | Value |
|---|---|
| CVE | CVE-2026-21385 |
| Severity | High |
| Type | Integer overflow / wraparound causing memory corruption |
| Affected chipsets | 234 Qualcomm chipsets |
| Exploitation | Confirmed in the wild (limited, targeted) |
The targeted exploitation suggests the vulnerability may have been leveraged in surveillance or espionage operations against specific individuals, though neither Google nor Qualcomm disclosed details about the threat actors or targets involved.
Critical Remote Code Execution Flaw
Separately, the update addresses CVE-2026-0006, a critical-severity vulnerability in the Android System component:
- Impact: Remote code execution
- Privileges required: None
- User interaction: None
- Affected: Android 16 (Media Codecs Mainline component)
This flaw could allow an attacker to execute arbitrary code on a victim's device without any user interaction — a worst-case scenario for mobile security.
Additional Critical Fixes
| CVE | Component | Severity | Type |
|---|---|---|---|
| CVE-2026-0047 | Framework | Critical | Privilege escalation |
| CVE-2025-48631 | System | Critical | Denial of service |
| 7 additional flaws | Kernel | High | Privilege escalation |
Patch Levels
The update is split into two patch levels:
- 2026-03-01: Core Android framework and system flaws
- 2026-03-05: Hardware-specific issues from Qualcomm, MediaTek, and ARM
What You Should Do
- Apply updates immediately — especially given the confirmed in-the-wild exploitation
- Check your device's patch level under Settings > About phone > Android security patch level
- Enterprise MDM teams should prioritize pushing the March update to managed devices
- Monitor for unusual device behavior that could indicate compromise via CVE-2026-21385
- Consider Google Pixel or Samsung devices that receive same-day security patches for faster protection
The 234 affected Qualcomm chipsets span a massive portion of the Android ecosystem, making this one of the widest-reaching zero-day patches in Android history.