Google patches 129 Android security flaws — including a potentially dangerous Qualcomm zero-day

News
By published

One of the bugs was exploited in the wild

Android reboot interface
(Image credit: Shutterstock / tomeqs)
  • Google released March 2026 Android update fixing 129 flaws
  • Includes 10 critical bugs and CVE-2026-21385 (7.8/10), exploited in the wild across 235 Qualcomm chipsets
  • Two patch levels (2026-03-01, 2026-03-05) issued; Pixel devices patched first, OEM rollout expected later

Google has released a new security update which fixed 129 vulnerabilities in the Android ecosystem, including 10 critical-severity bugs, and one high-severity issue apparently being exploited in the wild.

In a security advisory, Google said that it fixed a buffer over-read vulnerability in the Graphics component (an open-source Qualcomm module). The bug, tracked as CVE-2026-21385, was given a severity score of 7.8/10.

"Memory corruption when adding user-supplied data without checking available buffer space," Qualcomm said in a separate advisory.

Two sets of patches

This bug, Google said, was used in real-life attacks: “There are indications that CVE-2026-21385 may be under limited, targeted exploitation,” it said. Other details were not shared. Qualcomm said the bug was first spotted on December 18, while the customers were notified on February 2. It affects 235 chipsets.

Google also addressed 10 vulnerabilities across System, Framework, and Kernel components, that were all labeled as critical, and could theoretically be used in remote code execution attacks, privilege escalation attacks, and DoS attacks.

"The most severe of these issues is a critical security vulnerability in the System component that could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation," Google stressed.

To fix the flaws, the company released two separate patches - 2026-03-01 and 2026-03-05. The second one contains a fix for all 129 bugs, as well as fixed for closed-source third-party and kernel subcomponents.

Given the fragmentation of the Android ecosystem, it might take a while before most devices are patched. OEMs, such as Samsung, OnePlus, or Xiaomi, now need to take these patches and work them into their products and patch cadence. Pixel devices are expected to receive these patches first, since they are directly a Google product.

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

TOPICS
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.