Android March 2026 Security Patch Fixes Over 100 Vulnerabilities Including One Under Active Exploitation

Post Views: 4

Android’s March 2026 Security Update Resolves Over 100 Vulnerabilities, Including One Actively Exploited Flaw

A recent security update for Android addresses a multitude of vulnerabilities across various components, with one notable flaw confirmed to be under active, targeted exploitation. Devices with a patch level of 2026-03-05 or later will receive fixes for all disclosed issues.

Notable Vulnerabilities

The update includes a fix for CVE-2026-21385, a High-severity vulnerability in the Qualcomm Display component. This flaw is believed to be under limited, targeted exploitation, and organizations using devices with Qualcomm chipsets should prioritize patching this issue.

A critical vulnerability in the System component, CVE-2026-0006, could allow remote code execution without requiring user interaction or additional execution privileges. This flaw affects Android 16 and is tied to the Media Codecs Mainline component, which can receive updates through Google Play system updates on eligible devices.

Another critical issue in the System component, CVE-2025-48631, carries a denial-of-service classification and affects Android 14, 15, 16, and 16-QPR2.

Additional Vulnerabilities

The Framework component contains a critical-rated issue, CVE-2026-0047, which enables local escalation of privilege, limited to Android 16-QPR2.

Several critical elevation-of-privilege flaws affect the Protected Kernel-Based Virtual Machine (pKVM) subsystem, including CVE-2026-0037, CVE-2026-0027, CVE-2026-0028, CVE-2026-0030, and CVE-2026-0031.

Additionally, CVE-2024-43859 targets the Flash-Friendly File System (F2FS), and CVE-2026-0038 affects the Hypervisor.

Third-Party Vendor Vulnerabilities

Third-party silicon and component vendors account for a substantial portion of the bulletin’s total vulnerability count. MediaTek disclosures include 20 CVEs spanning the KeyInstall component, display subsystem, and multiple modem-related flaws.

Qualcomm contributes six open-source CVEs in the Display and Security components, plus eight additional closed-source component entries.

Imagination Technologies accounts for seven PowerVR GPU issues, and Unisoc lists seven modem vulnerabilities.

A single Arm Mali entry and one VBMeta issue from a miscellaneous OEM round out the hardware-vendor section.

Conclusion

All hardware-vendor entries in this bulletin are rated High, with severity assessments coming directly from the respective vendors.

Source code patches will be released to the Android Open Source Project repository.

Devices on Android 10 and later may receive applicable Mainline component updates through Google Play system updates independently of carrier or OEM OTA schedules.