Google’s Biggest Android Security Update in Years Fixes 129 Bugs, Including an Actively Exploited Zero-Day
Google’s Biggest Android Security Update in Years Fixes 129 Bugs, Including an Actively Exploited Zero-Day
Google just dropped its largest security update in nearly eight years.
The March 2026 Android Security Bulletin, published Monday, addresses 129 vulnerabilities across the mobile operating system. It’s the highest number of patches in a single month since April 2018.
But one vulnerability in particular has security teams on high alert: CVE-2026-21385, a zero-day flaw that Google confirms is already under attack.
The vulnerability resides in an open-source Qualcomm graphics component and affects 234 different chipsets, according to Qualcomm’s security advisory. Google’s Threat Analysis Group discovered the flaw and reported it to Qualcomm on December 18, 2025.
“There are indications that CVE-2026-21385 may be under limited, targeted exploitation,” Google stated in its security bulletin.
While the company didn’t provide details about who’s being targeted or how widespread the attacks are, the technical nature of the flaw makes it particularly dangerous. The vulnerability is an integer overflow issue in the Graphics subcomponent that leads to memory corruption.
Qualcomm confirmed that fixes were made available to device manufacturers in January 2026. “We encourage end users to apply security updates as they become available from device makers,” a Qualcomm spokesperson told Bleeping Computer.
A massive patch drop
The March update isn’t just about the zero-day. Google fixed 10 critical vulnerabilities across System, Framework, and Kernel components that could allow remote code execution, privilege escalation, or denial-of-service conditions.
“The most severe of these issues is a critical security vulnerability in the System component that could lead to remote code execution with no additional execution privileges needed,” Google’s bulletin notes. “User interaction is not needed for exploitation.”
The update is split into two security patch levels. The 2026-03-01 patch addresses 63 vulnerabilities, including 32 in the Framework and 19 in the System component. The 2026-03-05 patch level includes everything from the first batch, plus fixes for 66 additional vulnerabilities affecting kernel components and hardware from Arm, Imagination Technologies, MediaTek, and Unisoc.
Who’s at risk?
If you’re using an Android device with a Qualcomm chip, which covers the vast majority of Android phones and tablets, you’re potentially affected. The vulnerability impacts devices with security patch levels before 2026-03-05.
Security experts believe commercial spyware vendors are the most likely threat actors exploiting this flaw. The “limited, targeted” nature of the attacks suggests specific individuals, such as journalists, activists, government officials, or business executives, may be in the crosshairs rather than everyday users.
How to protect yourself
Google says devices running Android 10 and later may receive updates via Google Play system updates, depending on configuration. The company encourages all users to verify their security patch level in device settings and install updates as soon as they become available.
For devices stuck on older patch levels, Google recommends:
- Avoid installing apps from outside official app stores
- Be cautious with websites and email attachments
- Keep Google Play Protect enabled (it’s on by default for devices with Google Mobile Services)
- But these are temporary measures. The only real fix is the security update itself.
Google says it will release the corresponding source code patches to the Android Open Source Project repository within 48 hours of the bulletin’s publication.
Also read: Google has warned that over 1 billion Android phones no longer receive security updates.
About Author
