What is CVE-2026-21385?

CVE-2026-21385 is a zero-day vulnerability in an open-source Qualcomm graphics component affecting 234 different chipsets. Google confirmed in the March 2026 Android security bulletin that it is actively being exploited in the wild. CISA added it to its Known Exploited Vulnerabilities catalogue on March 3, requiring federal agencies to patch by March 24, 2026.

How many vulnerabilities does the March 2026 Android update patch?

The March 2026 Android security update patches 129 vulnerabilities total, the highest count in a single monthly bulletin since April 2018. The update splits across two patch levels: 2026-03-01 (63 vulnerabilities in Framework, System, and Google Play components) and 2026-03-05 (remaining vulnerabilities including chipset-specific flaws from Qualcomm, MediaTek, and Arm).

What is CVE-2026-0006?

CVE-2026-0006 is a critical remote code execution vulnerability in the Android System component. It requires no user interaction and no special privileges to exploit, meaning an attacker can potentially execute arbitrary code on a device without the user tapping or opening anything. It is not listed as actively exploited but is high priority due to the no-interaction attack vector.

Should enterprise Android deployments treat this as an emergency patch?

Yes. The combination of an actively exploited zero-day (CVE-2026-21385), a critical RCE requiring no user interaction (CVE-2026-0006), and the CISA KEV designation with a March 24 deadline makes this a priority patch cycle. Standard enterprise patch timelines of 30-60 days should be accelerated. Qualcomm-based kiosk and IoT devices in unattended configurations are the highest-risk category.

Security Developer Tools Mobile

Android March 2026 Patch: 129 Bugs, One Actively Exploited Zero-Day on 234 Chipsets

Abhishek Gautam·March 7, 2026·6 min read

Quick summary

Google March 2026 Android update patches 129 vulnerabilities including CVE-2026-21385, a Qualcomm zero-day actively exploited in the wild affecting 234 chipsets. CISA deadline March 24 for federal agencies.

Google's March 2026 Android security update patches 129 vulnerabilities. That is the highest count in a single monthly bulletin since April 2018.

Two of those 129 matter more than the rest. One is being actively exploited right now.

CVE-2026-21385: The Zero-Day Being Used in Attacks

CVE-2026-21385 is a vulnerability in an open-source Qualcomm graphics component. Google confirmed in the bulletin that "there are indications that CVE-2026-21385 may be under limited, targeted exploitation." That phrase is Google's way of saying attackers are using it in real attacks right now.

The scope is wide. The flaw affects 234 different Qualcomm chipsets. Qualcomm chips power the majority of Android devices globally, including flagship Snapdragon processors in Samsung Galaxy, OnePlus, Motorola, and most mid-range Android hardware worldwide.

CISA added CVE-2026-21385 to its Known Exploited Vulnerabilities catalogue on March 3. Federal Civilian Executive Branch agencies must apply the fix by March 24, 2026. Private sector organisations are not legally required to comply but CISA treats KEV deadlines as the industry benchmark for urgency.

The specific attack vector has not been publicly disclosed. Qualcomm graphics component vulnerabilities often involve specially crafted images, video streams, or GPU operations that trigger the flaw. Until more details emerge, the practical risk is that a targeted attacker could compromise a device without requiring the user to do anything beyond loading certain content.

CVE-2026-0006: Remote Code Execution, No Interaction Required

The second critical flaw is CVE-2026-0006, in Android's System component. Remote code execution without requiring any additional privileges or user interaction. An attacker on the same network, or who can deliver a malicious payload to the device, can execute arbitrary code.

No CVE is more dangerous than "no user interaction required." The user does not have to tap anything, open any file, or visit any URL. The attack happens at the network or protocol level.

CVE-2026-0006 is not listed as actively exploited, but it's the kind of vulnerability that moves from "no known exploitation" to "actively exploited" within weeks of a public patch, because the patch itself tells researchers and attackers exactly what changed.

The Full Scope: 129 Vulnerabilities

The March bulletin is split across two patch levels, 2026-03-01 and 2026-03-05, which is standard practice allowing manufacturers to stage their rollouts.

The 2026-03-01 patch level covers 63 vulnerabilities across three areas:

32 in the Android Framework (the application layer where apps run)
19 in the System component (deeper OS functions)
12 affecting Google Play system components

The 2026-03-05 patch level adds the remaining vulnerabilities, primarily in chipset-specific components from Qualcomm, MediaTek, and Arm. The Qualcomm zero-day CVE-2026-21385 is in this second batch.

What Developers Need to Do

If you maintain Android apps: This update does not directly affect app-level code, but it changes the threat model for users of your app. If your app handles sensitive data, healthcare records, financial information, or enterprise credentials, your security posture partly depends on whether your users' devices are patched. Review your MDM/device compliance requirements.

If you build for enterprise Android deployments: Update your Mobile Device Management policy. The CVE-2026-21385 zero-day and the CISA deadline should move this update from "routine monthly patch" to "emergency deployment" in your patch management calendar. March 24 is the federal deadline; for private enterprise, 30 days from disclosure is the standard.

If you test on physical Android devices: Apply the March 2026 security patch before using devices for testing. The update is available now for Pixel devices via Settings. Samsung, OnePlus, and other OEMs typically roll out within 2-6 weeks of Google's bulletin.

If you run Android in kiosk or IoT deployments: Qualcomm-based devices in unattended configurations are exactly the target profile for targeted exploitation. Prioritise this patch cycle.

The Bigger Pattern

129 vulnerabilities in one month is not normal. The previous peak was in April 2018. Several factors are converging to drive Android vulnerability counts higher in 2026.

The Android ecosystem fragmentation problem has not been solved. A patch released today reaches Pixel devices this week, Samsung flagships within a month, and mid-range devices from smaller OEMs potentially never, or years late. The 234 chipsets affected by CVE-2026-21385 span devices from 2019 through 2026.

The second factor is the explosion of chipset complexity. Modern SoCs contain components from Qualcomm, Arm, and other IP vendors, each with their own vulnerability surface. The March bulletin includes patches for components from at least four different chipset vendors.

The third factor is the increased sophistication of the Android security research community. More researchers, more bug bounty programs, more automated fuzzing tools, means more vulnerabilities found and reported each month. Most of what's in the March bulletin was found by researchers before attackers, which is the intended outcome of the responsible disclosure model.

Key Takeaways

129 vulnerabilities patched in March 2026, the most in a single Android bulletin since April 2018
CVE-2026-21385 — Qualcomm graphics zero-day, actively exploited in the wild, affects 234 chipsets
CVE-2026-0006 — critical RCE in Android System component, no user interaction required
March 24, 2026 — CISA deadline for federal agencies to apply the patch
234 chipsets affected by the zero-day, covering the majority of mid-range and flagship Android devices
For developers: update MDM/device compliance policies; move this cycle from routine to emergency for enterprise Android deployments
What to watch: exploitation details for CVE-2026-0006 will emerge within weeks of the patch; if your app handles sensitive data, monitor for proof-of-concept disclosure