Steady cadence of Android zero-days marked as exploited in the wild makes its path to 2026. Following CVE-2025-48633 and CVE-2025-48572, two Android Framework bugs Google flagged for active exploitation, defenders keep seeing the same familiar pattern. Mobile-chain vulnerabilities can move fast from limited attacks to real enterprise risk when patching lags. 

In March 2026, that storyline continues with CVE-2026-21385, a high-severity vulnerability in a Qualcomm Graphics subcomponent. Google’s Android Security Bulletin warns that there are indications that CVE-2026-21385 may be under limited, targeted exploitation.

As of early 2026, data indicates that 2025 was a record-breaking year for cybersecurity vulnerabilities, with Android remaining a primary target for mobile threats. The first half of 2025 saw Android malware rise by 151%, according to Malwarebytes. More vulnerabilities and more mobile malware together shrink the margin for delayed patching, especially when attackers focus on high-value targets.

Sign up for SOC Prime Platform, aggregating the world’s largest detection intelligence dataset and offering a complete product suite that empowers SOC teams to seamlessly handle everything from detection to simulation. The Platform features a large collection of rules addressing critical exploits. Just press Explore Detections and immediately drill down to a relevant detection stack filtered by “CVE” tag.

Explore Detections

All rules are mapped to the latest MITRE ATT&CK® framework and are compatible with multiple SIEM, EDR, and Data Lake platforms. Additionally, each rule comes packed with broad metadata, including CTI references, attack flows, audit configurations, and more.

Cyber defenders can also use Uncoder AI to streamline their detection engineering routine. Turn raw threat reports into actionable behavior rules, test your detection logic, map out attack flows, turn IOCs into hunting queries, or instantly translate detection code across languages backed by the power of AI and deep cybersecurity expertise behind every step.

CVE-2026-21385 Analysis

Google has recently issued its March 2026 Android Security Bulletin, addressing 129 security vulnerabilities across multiple components, including the Framework, System, and hardware-related areas such as Qualcomm drivers. Google confirmed that one of the fixed flaws, CVE-2026-21385 in a Qualcomm display and graphics component, has signals of real-world abuse. 

While Google did not provide further details about the attacks, Qualcomm described the bug in its own advisory as an integer overflow or wraparound in the Graphics subcomponent that can be exploited by a local attacker to trigger memory corruption. The vendor also notes that CVE-2026-21385 affects 235 Qualcomm chipsets, expanding exposure across device models and OEM update timelines.

Qualcomm stated it was alerted to the vulnerability on December 18 by Google’s Android Security team and notified customers on February 2. CVE-2026-21385 has also been added to CISA’s Known Exploited Vulnerabilities catalog as of March 3, 2026, requiring Federal Civilian Executive Branch agencies to apply fixes by March 24, 2026.

CVE-2026-21385 Mitigation

Fixes for CVE-2026-21385 were included in the second part of the March 2026 Android updates, delivered to devices as the 2026-03-05 security patch level. This patch level addresses over 60 vulnerabilities across Kernel and third-party components, including Arm, Imagination Technologies, MediaTek, Unisoc, and Qualcomm.

The first part of the March updates, rolling out as the 2026-03-01 security patch level, contains fixes for over 50 vulnerabilities in the Framework and System components, including critical issues that could lead to remote code execution and denial of service.

Devices running a security level of 2026-03-05 or higher contain patches for all vulnerabilities listed in the March 2026 bulletin. In enterprise environments, it is important to apply the latest security updates provided for each device model, validate patch levels across managed devices, and prioritize remediation for high-risk users where update rollout is slow or device diversity complicates coverage.

The post CVE-2026-21385: Google Patches Qualcomm Zero-Day Exploited in Targeted Android Attacks appeared first on SOC Prime.

Google has patched 129 vulnerabilities in Android in its March 2026 Android Security Bulletin, including a Qualcomm display flaw that is known to be actively exploited.

You can check your device’s Android version, security update level, and Google Play system update in Settings. You should get a notification when updates are available, but you can also check for them yourself.

On most phones, go to Settings > About phone (or About device), then tap Software updates to see if anything new is available. The exact steps may vary slightly depending on the brand and Android version you’re on.

If your Android phone shows a patch level of 2026-03-05 or later, these issues are fixed.

Keeping your device up to date protects you from known vulnerabilities and helps you stay safe. We know that because of patch gaps and end-of-support cycles, some users may not receive these updates. That’s why additional protection for your Android device is important.

Technical details

The Android zero-day, tracked as CVE-2026-21385, is a high‑severity bug in a Qualcomm graphics/display component that attackers are already exploiting in limited, targeted attacks.

The vulnerability lives in an open‑source Qualcomm graphics/display component used by a large number of Android chipsets, with Qualcomm listing that well over 230 different chipset models are affected. Based on recently published Android and chipset market‑share percentages, it is reasonable to assume the issue affects hundreds of millions of devices worldwide, even if the exact number is hard to pin down.

On most Android phones, you can view the processor model in Settings > About phone (or About device) > Detailed info and specs, and look for entries such as “Processor,” “Chipset,” or “SoC.” Names like “Snapdragon 8 Gen 2,” “Snapdragon 778G,” or “Qualcomm SM8xxx/SM7xxx,” indicate a Qualcomm chipset and that the device may be in the affected family.

Google says there are signs that CVE‑2026‑21385 is already being used in “limited, targeted exploitation,” which usually means a small number of high‑value targets rather than broad, drive‑by attacks on the general public. Current descriptions point to a memory corruption scenario in the graphics component. The official description says:

“Memory corruption while using alignments for memory allocation.”

This means that if an attacker can get a malicious app or local code onto the device, they can feed specially crafted data into the graphics component’s driver and corrupt memory in a controlled way. In practice, a bug like this is a good candidate for turning a normal app’s limited access into something much more powerful, like using it as a building block in a chain of exploits to escalate privileges or to escape a sandbox.

As you can see, the attacker needs some kind of local foothold first, such as getting you to install a malicious app, exploiting another vulnerability, or abusing a compromised app already on the device. 

How to stay safe

From the available information, attackers would need to trick a user into installing a malicious app that could then compromise the device. That’s why it’s a good idea to follow these safety precautions:

• Only install apps from official app stores whenever possible and avoid installing apps promoted in links in SMS, email, or messaging apps.
• Before installing finance‑related or retailer apps, verify the developer’s name, number of downloads, and user reviews rather than trusting a single promotional link.
• Protect your devices. Use an up-to-date, real-time anti-malware solution like Malwarebytes for Android.
• Scrutinize permissions. Does an app really need the permissions it’s requesting to do the job you want it to do? Especially if it asks for accessibility, SMS, or camera access.
• Keep Android, Google Play services, and all other important apps up to date so you get the latest security fixes.

We don’t just report on phone security—we provide it

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

Google confirms that the Qualcomm Android vulnerability CVE-2026-21385 was exploited in real-world attacks.

Google has confirmed that CVE-2026-21385 (CVSS score of 7.8), a high-severity vulnerability affecting an open-source Qualcomm component used in Android devices, has been actively exploited.

“There are indications that CVE-2026-21385 may be under limited, targeted exploitation.” reads Google’s advisory.

The flaw is a buffer over-read in the Graphics component that could allow attackers to access sensitive memory data, underscoring ongoing risks to Android users.

The company did not disclose technical details about the attacks exploiting this vulnerability.

“Integer Overflow or Wraparound in Graphics” reads the Qualcomm advisory. “Memory corruption while using alignments for memory allocation.”

Qualcomm received a report about CVE-2026-21385 from Google’s Android Security team on December 18, 2025, and notified customers on February 2, 2026. Google says it sees signs of limited, targeted exploitation, though it has not shared technical details. The March 2026 Android update fixes 129 vulnerabilities, including the critical CVE-2026-0006, which allows remote code execution without user interaction or additional privileges.

Android Security Bulletin March 2026 addressed the following critical flaws:

Framework
CVE-2026-0047 (CVSS score of 8,8) – Critical Framework Elevation of Privilege, local privilege escalation without extra privileges; no user interaction needed.

System
CVE-2026-0006 (CVSS score of 9,8) – Critical System Remote Code Execution, remote code execution without privileges; no user interaction; most severe issue.
CVE-2025-48631 (CVSS score of 8,6) – Critical System Denial of Service, causes device/service denial; no extra privileges needed.

Kernel
CVE-2024-43859 (CVSS score of 8,8) – Critical Kernel Elevation of Privilege in Flash-Friendly File System, local file system privilege escalation.
CVE-2026-0037 (CVSS score of 9,0) – Critical protected Kernel-based Virtual Machine Elevation of Privilege, breaks virtual machine isolation with System privileges.
CVE-2026-0038 (CVSS score of 9,0) – Critical Hypervisor Elevation of Privilege, potential virtual machine escape to host control.
CVE-2026-0027 (CVSS score of 9,0) – Critical protected Kernel-based Virtual Machine Elevation of Privilege, kernel virtualization privilege escalation.
CVE-2026-0028 (CVSS score of 9,0) – Critical protected Kernel-based Virtual Machine Elevation of Privilege, local attacker escalates in protected virtual machines.
CVE-2026-0030 (CVSS score of 9,0) – Critical protected Kernel-based Virtual Machine Elevation of Privilege, high-impact virtualization isolation bypass.
CVE-2026-0031 (CVSS score of 9,0) – Critical protected Kernel-based Virtual Machine Elevation of Privilege, escalates privileges across virtual machine boundaries.

Google’s Android security bulletin introduces two patch levels, 2026-03-01 and 2026-03-05, to help device makers roll out fixes more quickly across different models. The later patch level adds updates for

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Google)