This post covers a security update. Patch timelines and exploitation details may change. Check the official Android Security Bulletin for the authoritative record.
What’s New This Week
Google released its March 2026 Android security bulletin on March 3rd, patching 129 vulnerabilities including CVE-2026-21385 – a Qualcomm graphics component zero-day that was already under limited, targeted exploitation before the fix shipped.
Changelog
| Date | Summary |
|---|---|
| 25 Mar 2026 | Initial publication. |
CVE-2026-21385 is an integer overflow in a Qualcomm graphics and display component. The overflow occurs during memory alignment calculations, leading to memory corruption. Google’s Android security team reported it to Qualcomm on December 18, 2025. Qualcomm notified its customers in February 2026. By the time patches shipped this month, the vulnerability was already under limited, targeted exploitation in the wild.
The official Android Security Bulletin uses careful language: “There are indications that CVE-2026-21385 may be under limited, targeted exploitation.” That’s the standard Google phrasing when real-world abuse has been observed but mass exploitation hasn’t been confirmed. Take it seriously regardless – the patch exists, the attack exists, and most Android devices run Qualcomm silicon.
Scope
Qualcomm reports that CVE-2026-21385 affects 234 chipsets – most of the Qualcomm lineup from the past several years. That covers Snapdragon processors in flagship phones from Samsung, OnePlus, Xiaomi, Sony, and most of the rest of the Android ecosystem. If your fleet runs Qualcomm silicon, it’s in scope.
The severity rating is High (CVSS 7.8). Exploitation requires local access rather than a remote trigger, which limits the blast radius compared to a remote code execution flaw. But “local access” isn’t as constrained as it sounds: a malicious app the user installs qualifies. The real risk is a multi-stage attack where an initial compromise hands an attacker the local foothold they need to trigger this.
Two patch levels
Google’s March bulletin ships in two layers. Patch level 2026-03-01 covers 63 Android framework and system vulnerabilities. Patch level 2026-03-05 adds 66 hardware-level fixes for components from Qualcomm, ARM, MediaTek, and other vendors – including the CVE-2026-21385 fix.
You need 2026-03-05 to close the zero-day. Check Settings → About phone → Android security patch level. If it reads March 1, you’re not fully covered.
Samsung
Samsung is coordinating its own update track for Galaxy S25 and S26 series devices, addressing 65 vulnerabilities in total – the standard Android issues plus 5 Samsung-specific flaws. Samsung pushes through its own update servers rather than Google’s. Check Settings → Software Update on Galaxy devices separately. Don’t assume the standard Android update path covers everything on Galaxy hardware.
What to do
For individual devices: pull the update now. Settings → System → Software Update. Confirm the patch level shows 2026-03-05 after reboot.
For enterprise fleets: prioritize Qualcomm-based devices and check your MDM for compliance status against 2026-03-05. The 234-chipset scope means most modern Android enterprise devices are affected. If you don’t have visibility into patch level distribution across your fleet, now is the time to build it – this update gives you a concrete reason to justify the work.
The 63 non-hardware fixes in the March 1 layer cover Android Framework, System, and other components. Some are rated Critical. The full bulletin is worth scanning if you have any unusual exposure scenarios, such as devices running custom firmware or older OEM images that may not receive timely updates.
129 patches in a single month is well above the typical 40-60 range. That volume alone would warrant attention. The actively exploited zero-day makes this one non-negotiable. The question isn’t whether to patch – it’s how quickly you can confirm you have.