Android Zero-Day CVE-2026-21385 Actively Exploited

by CyberNewsAI Admin
Threat IntelligenceVulnerability Watch

Executive Summary

Google has confirmed that a high-severity vulnerability, CVE-2026-21385, affecting a Qualcomm graphics component in the Android ecosystem, is being actively exploited in the wild. The flaw is described as a buffer over-read that can lead to memory corruption. While exploitation is currently assessed as "limited" and "targeted," the presence of a zero-day necessitates immediate action. The patch for this vulnerability is included in the March 2026 Android security bulletin, which addresses a total of 129 security defects.

Key Findings

Vulnerability Profile: CVE-2026-21385

The primary vulnerability is tracked as CVE-2026-21385, with a CVSS score of 7.8 (High). The flaw exists in an open-source Qualcomm Graphics component. According to Qualcomm's advisory, it is an integer overflow leading to memory corruption when processing user-supplied data without proper buffer size validation. The flaw was initially reported to Qualcomm by Google's Android Security team on December 18, 2025.

Active Exploitation

Google's March 2026 bulletin states there are "indications that CVE-2026-21385 may be under limited, targeted exploitation." Details regarding the threat actor, attack vector, and specific Tactics, Techniques, and Procedures (TTPs) have not been disclosed at this time. The adversary remains unidentified.

March 2026 Android Security Bulletin

The patch for CVE-2026-21385 is delivered via the March 2026 Android security update. This is a substantial update, containing fixes for 129 vulnerabilities. The bulletin is split into two patch levels, 2026-03-01 and 2026-03-05, to provide partners with deployment flexibility. The 2026-03-05 level is comprehensive, including fixes for components from Arm, Imagination Technologies, MediaTek, Qualcomm, and Unisoc.

Other Critical Flaws Patched

The update also addresses several other critical vulnerabilities, including:

  • CVE-2026-0006: A critical remote code execution (RCE) vulnerability in the System component, requiring no additional privileges or user interaction.
  • CVE-2026-0047: A critical privilege escalation bug in the Framework.
  • CVE-2025-48631: A critical denial-of-service (DoS) flaw in the System component.
  • Seven critical privilege escalation flaws in Kernel components, including CVE-2024-43859 and CVE-2026-0037.

Mitigation & Recommendations

Immediate Patching

All Android devices should be updated to the March 2026 security patch level as soon as possible. It is critical to apply the 2026-03-05 patch level to ensure protection against this exploited vulnerability and other critical component-level flaws.

Threat Hunting & Monitoring

Security teams should monitor for anomalous activity related to device graphics components and memory corruption events. Since no Indicators of Compromise (IOCs) have been released, proactive threat hunting based on behavioral analytics is recommended until more specific intelligence becomes available.

// INTELLIGENCE_SOURCES

[The Hacker News]

// INITIALIZE_SUBSCRIPTION

Receive critical threat intelligence briefings directly to your feed. Join the CyberNewsAI operations center.

SUBSCRIBE_NOW