GOOGLE has rolled out Android security updates containing patches for nearly 130 vulnerabilities, including an exploited zero-day tracked as CVE-2026-21385 that affects the graphics component of over 200 Qualcomm chipsets and can lead to memory corruption through an integer overflow or wraparound. According to Jamf senior enterprise strategy manager Adam Boynton, successful exploitation could allow attackers to bypass security controls and gain unauthorised control over the system.
The bug was reported on 18 December 2025 through the Google Android Security team, with Qualcomm notifying customers on 2 February 2026 and disclosing the defect on 3 March 2026.
Fixes for the CVE were included in the second part of this month’s Android updates, arriving at the 2026-03-05 security patch level and addressing over 60 vulnerabilities across kernel, Arm, Imagination Technologies, MediaTek, Unisoc, and Qualcomm components, while the first part (2026-03-01 patch level) fixes more than 50 issues in the Framework and System components. Google notes there are indications the CVE-2026-21385 may be under limited, targeted exploitation, and Wear OS also received fixes in this update cycle.