Google Confirms Exploitation of CVE-2026-21385 in Qualcomm’s Android Graphics Component
On March 3, 2026, Google disclosed a high-severity security vulnerability, identified as CVE-2026-21385, affecting an open-source Qualcomm component utilized in Android devices. This flaw, with a Common Vulnerability Scoring System (CVSS) score of 7.8, is characterized as a buffer over-read within the Graphics component.
Qualcomm’s advisory describes the issue as an integer overflow resulting from memory corruption when adding user-supplied data without checking available buffer space. The vulnerability was reported to Qualcomm by Google’s Android Security team on December 18, 2025, and customers were notified on February 2, 2026.
While specific details regarding the exploitation methods remain undisclosed, Google’s March 2026 Android security bulletin indicates that there are indications that CVE-2026-21385 may be under limited, targeted exploitation. This suggests that malicious actors have been actively leveraging this vulnerability in real-world scenarios.
In response, Google’s March 2026 update addresses a total of 129 vulnerabilities, including:
– CVE-2026-0006: A critical flaw in the System component that could lead to remote code execution without requiring additional privileges or user interaction.
– CVE-2026-0047: A privilege escalation bug in the Framework component.
– CVE-2025-48631: A denial-of-service (DoS) vulnerability in the System component.
– Seven privilege escalation flaws in Kernel components, identified as CVE-2024-43859, CVE-2026-0037, CVE-2026-0038, CVE-2026-0027, CVE-2026-0028, CVE-2026-0030, and CVE-2026-0031.
To facilitate timely mitigation, the Android security bulletin provides two patch levels—2026-03-01 and 2026-03-05—allowing Android partners to address vulnerabilities across various devices more efficiently. The latter patch level includes fixes for Kernel components and vulnerabilities from Arm, Imagination Technologies, MediaTek, Qualcomm, and Unisoc.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-21385 to its Known Exploited Vulnerabilities (KEV) catalog as of March 3, 2026. Federal Civilian Executive Branch (FCEB) agencies are mandated to apply the necessary fixes by March 24, 2026, to mitigate potential threats.
