Google simply dropped its largest safety replace in practically eight years.
The March 2026 Android Safety Bulletin, revealed Monday, addresses 129 vulnerabilities throughout the cellular working system. It’s the best variety of patches in a single month since April 2018.
However one vulnerability particularly has safety groups on excessive alert: CVE-2026-21385, a zero-day flaw that Google confirms is already beneath assault.
The vulnerability resides in an open-source Qualcomm graphics element and impacts 234 totally different chipsets, in response to Qualcomm’s safety advisory. Google’s Risk Evaluation Group found the flaw and reported it to Qualcomm on December 18, 2025.
“There are indications that CVE-2026-21385 could also be beneath restricted, focused exploitation,” Google said in its safety bulletin.
Whereas the corporate didn’t present particulars about who’s being focused or how widespread the assaults are, the technical nature of the flaw makes it notably harmful. The vulnerability is an integer overflow challenge within the Graphics subcomponent that results in reminiscence corruption.
Qualcomm confirmed that fixes had been made obtainable to machine producers in January 2026. “We encourage finish customers to use safety updates as they turn out to be obtainable from machine makers,” a Qualcomm spokesperson informed Bleeping Laptop.
An enormous patch drop
The March replace isn’t simply concerning the zero-day. Google fastened 10 vital vulnerabilities throughout System, Framework, and Kernel elements that might enable distant code execution, privilege escalation, or denial-of-service situations.
“Essentially the most extreme of those points is a vital safety vulnerability within the System element that might result in distant code execution with no extra execution privileges wanted,” Google’s bulletin notes. “Person interplay is just not wanted for exploitation.”
The replace is break up into two safety patch ranges. The 2026-03-01 patch addresses 63 vulnerabilities, together with 32 within the Framework and 19 within the System element. The 2026-03-05 patch stage consists of the whole lot from the primary batch, plus fixes for 66 extra vulnerabilities affecting kernel elements and {hardware} from Arm, Creativeness Applied sciences, MediaTek, and Unisoc.
Who’s in danger?
In the event you’re utilizing an Android machine with a Qualcomm chip, which covers the overwhelming majority of Android telephones and tablets, you’re doubtlessly affected. The vulnerability impacts gadgets with safety patch ranges earlier than 2026-03-05.
Safety specialists consider industrial spy ware distributors are the almost certainly menace actors exploiting this flaw. The “restricted, focused” nature of the assaults suggests particular people, similar to journalists, activists, authorities officers, or enterprise executives, could also be within the crosshairs somewhat than on a regular basis customers.
Learn how to shield your self
Google says gadgets working Android 10 and later could obtain updates by way of Google Play system updates, relying on configuration. The corporate encourages all customers to confirm their safety patch stage in machine settings and set up updates as quickly as they turn out to be obtainable.
For gadgets caught on older patch ranges, Google recommends:
- Keep away from putting in apps from exterior official app shops
- Be cautious with web sites and e mail attachments
- Preserve Google Play Shield enabled (it’s on by default for gadgets with Google Cell Providers)
- However these are short-term measures. The one actual repair is the safety replace itself.
Google says it can launch the corresponding supply code patches to the Android Open Supply Mission repository inside 48 hours of the bulletin’s publication.
Additionally learn: Google has warned that over 1 billion Android telephones not obtain safety updates.
