Google has released its latest security update for Android, announcing in the March 2026 Android Security Bulletin that it has addressed a total of 129 vulnerabilities.
Included among these vulnerabilities is CVE-2026-21385, a zero-day affecting an open-source Qualcomm component. While the company has not shared much in the way of detail, it says that “there are indications that CVE-2026-21385 may be under limited, targeted exploitation”.
CVE-2026-21385 affects the display component of Android and has been assigned a severity rating of High. There are actually numerous Qualcomm components with issues that are addressed with this latest update, as Google explains:
Qualcomm components
These vulnerabilities affect Qualcomm components and are described in further detail in the appropriate Qualcomm security bulletin or security alert. The severity assessment of these issues is provided directly by Qualcomm.
| CVE | References | Severity | Subcomponent | |
| CVE-2025-47388 | A-449733645 QC-CR#4207075 |
High | Security | |
| CVE-2025-47394 | A-449732573 QC-CR#4202921 |
High | Kernel | |
| CVE-2025-47396 | A-449733129 QC-CR#4204623 |
High | Display | |
| CVE-2025-47397 | A-457747735 QC-CR#4205207 [2] |
High | Display | |
| CVE-2025-47398 | A-457746802 QC-CR#4229974 [2] |
High | Display | |
| CVE-2025-59600 | A-465462602 QC-CR#4249775 [2] |
High | Display | |
| CVE-2026-21385 | A-478214401 QC-CR#4387106 [2] |
High | Display |
Qualcomm closed-source components
These vulnerabilities affect Qualcomm closed-source components and are described in further detail in the appropriate Qualcomm security bulletin or security alert. The severity assessment of these issues is provided directly by Qualcomm.
| CVE | References | Severity | Subcomponent | |
| CVE-2025-47339 | A-430042394* | High | Closed-source component | |
| CVE-2025-47346 | A-430043562* | High | Closed-source component | |
| CVE-2025-47348 | A-430043784* | High | Closed-source component | |
| CVE-2025-47366 | A-436259280* | High | Closed-source component | |
| CVE-2025-47378 | A-442620485* | High | Closed-source component | |
| CVE-2025-47385 | A-442621008* | High | Closed-source component | |
| CVE-2025-47395 | A-449732115* | High | Closed-source component | |
| CVE-2025-47402 | A-457748468* | High | Closed-source component |
The CVE-2026-21385 issue has a CVSS score of 7.8, and was first reported back in December. There are currently no details about how it has been exploited and how widespread the issue is.
In its own security bulletin, Qualcomm refers to CVE-2026-21385 as an “Integer Overflow or Wraparound in Graphics”, describing it as “memory corruption while using alignments for memory allocation”.
The company also provides links to patches:
