Google has issued a security update addressing 129 vulnerabilities in the Android operating system, including a zero-day flaw in a Qualcomm component that has been actively exploited in targeted attacks. The update, released in two stages on March 1st and March 5th, 2026, patches ten critical-severity bugs and a high-severity vulnerability, CVE-2026-21385, affecting 235 chipsets.
The exploited vulnerability, CVE-2026-21385, is a buffer over-read issue within the Graphics component, an open-source module developed by Qualcomm. According to Google’s security advisory, “There are indications that CVE-2026-21385 may be under limited, targeted exploitation.” Qualcomm identified the vulnerability on December 18, 2025, and notified customers on February 2, 2026.
Qualcomm described the flaw as a memory corruption issue stemming from the addition of user-supplied data without adequate buffer space checks. The vulnerability carries a severity score of 7.8 out of 10.
Beyond the actively exploited zero-day, Google addressed ten critical vulnerabilities across System, Framework, and Kernel components. These flaws could potentially allow for remote code execution, privilege escalation, and denial-of-service attacks. Google highlighted a particularly severe vulnerability in the System component, stating that it could enable remote code execution without requiring additional privileges or user interaction.
The company released two separate patch sets – 2026-03-01 and 2026-03-05 – to address the identified vulnerabilities. The second patch incorporates fixes for all 129 bugs, as well as addressing issues in closed-source third-party components and kernel subcomponents.
Pixel devices, manufactured directly by Google, are receiving the updates first. However, the fragmented nature of the Android ecosystem means that the rollout to devices from other manufacturers, such as Samsung, OnePlus, and Xiaomi, will likely be delayed as each OEM integrates the patches into their respective products and update schedules.
