GOOGLE has confirmed that CVE-2026-21385, a high-severity flaw affecting an open-source Qualcomm component used in Android devices, has been actively exploited in real‑world attacks, with indications of limited, targeted exploitation according to Google’s advisory.
The vulnerability is a buffer over-read in the Graphics component that could allow attackers to access sensitive memory data, and Qualcomm’s advisory notes issues described as “Integer Overflow or Wraparound in Graphics” and “Memory corruption while using alignments for memory allocation.” Qualcomm received a report about CVE-2026-21385 from Google’s Android Security team on 18
December 2025 and notified customers on 2 February 2026, and Google says it sees signs of limited, targeted exploitation but has not shared technical details. The March 2026 Android update fixes 129 vulnerabilities, including the critical CVE-2026-0006, which allows remote code execution without user interaction or additional privileges. Google’s Android Security Bulletin for March 2026 also introduces two patch levels, 2026-03-01 and 2026-03-05, to help device makers roll out fixes across different models.