Google Confirms Qualcomm Android Component Vulnerability CVE-2026-21385 Exploitation

Post Views: 158

Severe Security Vulnerability in Qualcomm Component Exploited in the Wild

A severe security vulnerability in a Qualcomm component used in Android devices has been exploited in the wild, according to Google. The flaw, identified as CVE-2026-21385, carries a CVSS score of 7.8 and affects the Graphics component. It allows for memory corruption when user-supplied data is added without checking the available buffer space, resulting in an integer overflow.

Discovery and Disclosure

Qualcomm reported that the vulnerability was disclosed to them through Google’s Android Security team on December 18, 2025. The company notified its customers about the security defect on February 2, 2026.

Exploitation and Patch

While details on the exploitation of the vulnerability are scarce, Google acknowledged that there are indications of limited, targeted exploitation. The vulnerability is one of 129 security flaws patched by Google in its March 2026 update.

Other Critical Vulnerabilities Patched

The update also includes fixes for a critical flaw in the System component (CVE-2026-0006) that could lead to remote code execution without requiring any additional privileges or user interaction. Other critical-rated bugs addressed by Google include a privilege escalation bug in Framework (CVE-2026-0047), a denial-of-service (DoS) in System (CVE-2025-48631), and seven privilege escalation flaws in Kernel components (CVE-2024-43859, CVE-2026-0037, CVE-2026-0038, CVE-2026-0027, CVE-2026-0028, CVE-2026-0030, and CVE-2026-0031).

Android Security Bulletin

The Android security bulletin includes two patch levels, 2026-03-01 and 2026-03-05, to provide Android partners with flexibility in addressing common vulnerabilities on different devices. The second patch level includes fixes for Kernel components, as well as those from Arm, Imagination Technologies, MediaTek, Qualcomm, and Unisoc.

Comparison to Previous Months

Google’s March 2026 update marks a significant increase in the number of vulnerabilities addressed, compared to the previous month, when no Android vulnerabilities were patched. In January 2026, only one Android vulnerability was addressed.