Google Confirms CVE-2026-21385 in Qualcomm Android Component Exploited
Source: The Hacker News
Google disclosed on Monday that a high‑severity security flaw affecting an open‑source Qualcomm component used in Android devices has been exploited in the wild.
The vulnerability is CVE‑2026‑21385 (CVSS 7.8), a buffer over‑read in the Graphics component. Qualcomm described it as “memory corruption when adding user‑supplied data without checking available buffer space,” identifying it as an integer overflow.
The chipmaker said the flaw was reported to it through Google’s Android Security team on 18 December 2025, and customers were notified on 2 February 2026.
Exploitation Status
Details on how CVE‑2026‑21385 is being exploited have not been released. However, Google’s monthly Android security bulletin notes “there are indications that CVE‑2026‑21385 may be under limited, targeted exploitation.”
March 2026 Patch Release
Google’s March 2026 update patches a total of 129 vulnerabilities, including:
- Critical: System component (CVE‑2026‑0006) – remote code execution without privileges or user interaction.
- Privilege escalation: Framework (CVE‑2026‑0047).
- Denial‑of‑service: System (CVE‑2025‑48631).
- Privilege escalation (Kernel): CVE‑2024‑43859, CVE‑2026‑0037, CVE‑2026‑0038, CVE‑2026‑0027, CVE‑2026‑0028, CVE‑2026‑0030, CVE‑2026‑0031.
The bulletin provides two patch levels—2026‑03‑01 and 2026‑03‑05—to give Android partners flexibility in addressing common vulnerabilities across devices. The later patch level includes fixes for Kernel components from Arm, Imagination Technologies, MediaTek, Qualcomm, and Unisoc.