Google addresses actively exploited Qualcomm zero-day in fresh batch of 129 Android vulnerabilities
Google addresses actively exploited Qualcomm zero-day in fresh batch of 129 Android vulnerabilities
https://cyberscoop.com/android-security-update-march-2026/
Publish Date: 2026-03-02 17:28:00
Source Domain: cyberscoop.com
Google disclosed one actively exploited zero-day vulnerability Monday, warning that the high-severity defect affecting an open-source Qualcomm display component for Android devices “may be under limited, targeted exploitation.”
The memory-corruption vulnerability — CVE-2026-21385 — which Google’s Android security team reported to Qualcomm Dec. 18, affects 234 chipsets, Qualcomm said in a security bulletin. Qualcomm said it notified customers of the vulnerability Feb. 2.
Qualcomm declined to say when the earliest known instance of exploitation occurred, how many victims have been directly impacted, and what occurred during the 10-week period between the reporting and public disclosure of the vulnerability.
“We commend the researchers from Google’s Threat Analysis Group for using coordinated disclosure practices,” a Qualcomm spokesperson told CyberScoop. “Fixes were made available to our customers in January 2026. We encourage end users to apply security updates as they become available from device makers.”
A Google spokesperson said Qualcomm marked the vulnerability as exploited. “We don’t have any info or access to the exploit reports,” the spokesperson added.
Google addressed 129 defects in its monthly security update for Android devices, reflecting a surge in vulnerability disclosures from the vendor. The company’s latest security update contains the highest number of Android vulnerabilities patched in a single month since April 2018.
Google’s public vulnerability disclosure and reporting program for Android has been uneven. The company typically issued dozens of security patches each month, but that cadence has shifted to a more occasional routine.
So far this year, Google addressed one Android vulnerability in January and none in February. There were occasional lulls last year as well when Google reported no vulnerabilities in July and October, six in August and two vulnerabilities in November….
