GOOGLE has confirmed CVE-2026-21385, a high‑severity buffer over-read in a Qualcomm open‑source Android Graphics component, which Qualcomm described as memory corruption when adding user‑supplied data without checking available buffer space (an advisory notes it as an integer overflow). The vulnerability, rated CVSS 7.8, has been exploited in the wild?
The article states there are currently no public details on active exploitation, but there are indications that CVE-2026-21385 may be under limited, targeted exploitation, according to the Android security bulletin. The chipmaker said the flaw was reported to it through Google's Android Security team on 18 December 2025, with customer notification on 2 February 2026.
In its March 2026 update, Google patched a total of 129 vulnerabilities, including a critical flaw in the System component (CVE-2026-0006) and several other entries across Framework, Kernel and other components; the Android bulletin also lists two patch levels, 2026-03-01 and 2026-03-05, to help partners address vulnerabilities across different devices.