A new Qualcomm bug has been exploited in limited and targeted attacks against vulnerable Android devices. Google published its monthly Android security bulletin on 2 March 2026, listing more than 100 CVEs, with CVE-2026-21385 described as a high-severity memory corruption flaw in Qualcomm's graphics kernel that affects a wide range of chipsets and has an CVSS of 7.8.
The Android bulletin states there are indications that CVE-2026-21385 may be under limited, targeted exploitation, a claim echoed by discussions with industry experts. Patches for CVE-2026-21385 are available and are being shared with OEMs, while patches for CVE-2026-0047, a critical local privilege escalation in Android’s ActivityManagerService, are also available via the Android Open Source Project.
The article notes that while one analyst cautions about speculation, the pattern could indicate a nation-state actor or commercial surveillance activity, and that such chained techniques complicate attribution and may surface only in post-incident forensics.