Google on Monday announced the rollout of new Android security updates containing patches for nearly 130 vulnerabilities, including an exploited zero-day.
The exploited flaw, tracked as CVE-2026-21385 (CVSS score of 7.8) and impacting the graphics component of over 200 Qualcomm chipsets, is described as an integer overflow or wraparound issue leading to memory corruption while using alignments for memory allocation.
According to Jamf senior enterprise strategy manager Adam Boynton, the successful exploitation of the weakness could allow attackers to “bypass security controls and gain unauthorised control over the system”.
According to Qualcomm’s advisory, the bug was reported on December 18, 2025, through the Google Android Security team. The chip maker notified its customers of CVE-2026-21385 on February 2 and disclosed the security defect on Monday.
“There are indications that CVE-2026-21385 may be under limited, targeted exploitation,” Google notes in Android’s March 2026 security bulletin.
The company has not shared details on the observed attacks, but these types of vulnerabilities are often exploited by commercial spyware vendors.
Fixes for the bug were included in the second part of this month’s Android updates, which arrive on devices as the 2026-03-05 security patch level. This patch level resolves over 60 vulnerabilities in kernel, Arm, Imagination Technologies, MediaTek, Unisoc, and Qualcomm components.
The first part of the updates, rolling out as the 2026-03-01 security patch level, contains fixes for over 50 vulnerabilities in the Framework and System components, including critical flaws leading to remote code execution (RCE) and denial-of-service (DoS).
“The most severe of these issues is a critical security vulnerability in the System component that could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation,” Google notes.
Devices running a security level of 2026-03-05 or higher contain patches for all these vulnerabilities.
On Monday, Google also announced the release of fixes for two Wear OS vulnerabilities, impacting the platform’s Framework and System components. The fresh Wear OS update also includes patches for all the security defects described in Android’s March 2026 security bulletin.
Google says there are no platform-specific patches in this month’s Android Automotive OS and Android XR updates.
Related: Android 17 Beta Strengthens Secure-by-Default Design for Privacy and App Security
Related: Critical Dolby Vulnerability Patched in Android
Related: Zyxel Patches Critical Vulnerability in Many Device Models
Related: Trend Micro Patches Critical Apex One Vulnerabilities
