Android devices hit by exploited Qualcomm flaw CVE-2026-21385
Android devices hit by exploited Qualcomm flaw CVE-2026-21385
March 03, 2026 
Google confirms that the Qualcomm Android vulnerability CVE-2026-21385 was exploited in real-world attacks.
Google has confirmed that CVE-2026-21385 (CVSS score of 7.8), a high-severity vulnerability affecting an open-source Qualcomm component used in Android devices, has been actively exploited.
“There are indications that CVE-2026-21385 may be under limited, targeted exploitation.” reads Google’s advisory.
The flaw is a buffer over-read in the Graphics component that could allow attackers to access sensitive memory data, underscoring ongoing risks to Android users.
The company did not disclose technical details about the attacks exploiting this vulnerability.
“Integer Overflow or Wraparound in Graphics” reads the Qualcomm advisory. “Memory corruption while using alignments for memory allocation.”
Qualcomm received a report about CVE-2026-21385 from Google’s Android Security team on December 18, 2025, and notified customers on February 2, 2026. Google says it sees signs of limited, targeted exploitation, though it has not shared technical details. The March 2026 Android update fixes 129 vulnerabilities, including the critical CVE-2026-0006, which allows remote code execution without user interaction or additional privileges.
Android Security Bulletin March 2026 addressed the following critical flaws:
Framework
CVE-2026-0047 (CVSS score of 8,8) – Critical Framework Elevation of Privilege, local privilege escalation without extra privileges; no user interaction needed.
System
CVE-2026-0006 (CVSS score of 9,8) – Critical System Remote Code Execution, remote code execution without privileges; no user interaction; most severe issue.
CVE-2025-48631 (CVSS score of 8,6) – Critical System Denial of Service, causes device/service denial; no extra privileges needed.
Kernel
CVE-2024-43859 (CVSS score of 8,8) – Critical Kernel Elevation of Privilege in Flash-Friendly File System, local file system privilege escalation.
CVE-2026-0037 (CVSS score of 9,0) – Critical protected Kernel-based Virtual Machine Elevation of Privilege, breaks virtual machine isolation with System privileges.
CVE-2026-0038 (CVSS score of 9,0) – Critical Hypervisor Elevation of Privilege, potential virtual machine escape to host control.
CVE-2026-0027 (CVSS score of 9,0) – Critical protected Kernel-based Virtual Machine Elevation of Privilege, kernel virtualization privilege escalation.
CVE-2026-0028 (CVSS score of 9,0) – Critical protected Kernel-based Virtual Machine Elevation of Privilege, local attacker escalates in protected virtual machines.
CVE-2026-0030 (CVSS score of 9,0) – Critical protected Kernel-based Virtual Machine Elevation of Privilege, high-impact virtualization isolation bypass.
CVE-2026-0031 (CVSS score of 9,0) – Critical protected Kernel-based Virtual Machine Elevation of Privilege, escalates privileges across virtual machine boundaries.
Google’s Android security bulletin introduces two patch levels, 2026-03-01 and 2026-03-05, to help device makers roll out fixes more quickly across different models. The later patch level adds updates for
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Google)
About Author
