Google has confirmed that a high severity security vulnerability affecting an open source Qualcomm component used in Android devices has been exploited in the wild. The flaw, tracked as CVE 2026 21385 with a CVSS score of 7.8, impacts the Graphics component and has been described as a buffer over read issue caused by memory corruption when adding user supplied data without verifying available buffer space. Qualcomm characterized the root cause as an integer overflow and said the issue was reported through Google’s Android Security team on December 18, 2025, with customers notified of the defect on February 2, 2026.
While technical specifics about the real world exploitation remain undisclosed, Google acknowledged in its March 2026 Android security bulletin that there are indications the vulnerability may be under limited and targeted exploitation. The absence of public details suggests the attacks could be focused and selective rather than widespread. Security researchers often observe that such flaws in core components, particularly those tied to graphics processing and chipset level operations, can present significant risk because of their deep integration into device architecture. Qualcomm’s role as a major supplier of chipsets across a broad range of Android smartphones increases the potential exposure footprint, although patches are now available to device manufacturers and partners.
The March 2026 Android update addresses a total of 129 vulnerabilities, marking a substantial jump compared to earlier months. Google had fixed one Android vulnerability in January 2026 and none in February, making the latest bulletin considerably more extensive. Among the patched issues is a critical flaw in the System component identified as CVE 2026 0006, which could allow remote code execution without requiring additional privileges or user interaction. Such a scenario is considered particularly severe because exploitation does not depend on user action, raising the stakes for timely patch deployment. Google also resolved several other high impact vulnerabilities, including a privilege escalation flaw in the Framework component tracked as CVE 2026 0047 and a denial of service issue in the System component identified as CVE 2025 48631.
Kernel components accounted for multiple critical fixes as well, with seven privilege escalation vulnerabilities patched under identifiers CVE 2024 43859, CVE 2026 0037, CVE 2026 0038, CVE 2026 0027, CVE 2026 0028, CVE 2026 0030, and CVE 2026 0031. The Android security bulletin outlines two patch levels dated 2026 03 01 and 2026 03 05, offering flexibility to Android partners to address shared vulnerabilities across different device models and hardware configurations. The later patch level incorporates updates not only for Kernel components but also for third party technology providers including Arm, Imagination Technologies, MediaTek, Qualcomm, and Unisoc. Device manufacturers are expected to integrate these fixes into their firmware updates, though rollout timelines may vary depending on vendor specific testing and distribution processes.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
