Google has released the March 2026 Android security updates, patching dozens of vulnerabilities, including a zero-day flaw in Qualcomm’s graphics drivers that is reportedly under limited, targeted exploitation.
The most serious issue addressed this month is a remote code execution bug in the Android System component, while the actively exploited flaw affects a wide range of Qualcomm Snapdragon chipsets.
The March 2026 security update for Android is split into two levels, 2026-03-01 and 2026-03-05. Devices updated to the latter address all disclosed issues, including kernel and chipset-specific vulnerabilities. As usual, Google said it notified Android partners at least a month in advance and will release the corresponding source code patches to the Android Open Source Project (AOSP) repository within 48 hours of publication.
Among the issues disclosed, Google noted that CVE-2026-21385 “may be under limited, targeted exploitation.” This vulnerability is tracked as a high-severity flaw in Qualcomm’s graphics components and is described by Qualcomm as an integer overflow or wraparound in memory alignment handling. It can lead to memory corruption when specially crafted alignment values are used during memory allocation.
According to Qualcomm’s advisory, the bug was reported on December 18, 2025, and customers were notified on February 2, 2026. The flaw affects an extensive list of chipsets, including numerous Snapdragon mobile platforms such as the Snapdragon 8 Gen 1, 8 Gen 2, 8 Gen 3, Snapdragon 888, 865, 778G, and many 4-, 6-, and 7-series chips, as well as compute, automotive, XR, wearable, and networking platforms.
At the code level, the issue resides in the KGSL (Kernel Graphics Support Layer) driver, specifically in how user-supplied alignment values are processed. The fix modifies the return type of the kgsl_memdesc_get_align() helper from a signed int to an unsigned u32, preventing sign extension during bit-shift operations.
Although the Qualcomm bulletin lists the access vector as local, successful exploitation could allow a malicious app with limited privileges to corrupt memory in the graphics subsystem. Given the complexity of modern GPU drivers and their interaction with the kernel’s memory manager and IOMMU, such corruption bugs can potentially be chained with other vulnerabilities to achieve privilege escalation.
In addition to the Qualcomm zero-day, Google patched a critical remote code execution flaw in the Android System component, tracked under CVE-2026-0006. This vulnerability could allow remote code execution with no additional execution privileges required and without user interaction, making it the most severe issue in this month’s bulletin. It affects Android 16 and is also addressed through a Project Mainline update to the Media Codecs component.
The bulletin also includes multiple critical kernel vulnerabilities in components such as Protected Kernel-Based Virtual Machine (pKVM), Hypervisor, and the Flash-Friendly File System (F2FS), as well as high-severity flaws in Arm Mali GPUs, Imagination Technologies PowerVR GPUs, MediaTek modems, Unisoc modems, and additional Qualcomm closed-source components.
Google emphasized that Android’s layered security model, including sandboxing, exploit mitigations, and Google Play Protect, helps reduce the likelihood of successful exploitation. Play Protect is enabled by default on devices with Google Mobile Services and scans for potentially harmful applications, particularly important for users who sideload apps.
Users are advised to update their devices to the March 5, 2026 security patch level or later as soon as it becomes available for their device. To verify the patch level, users can navigate to Settings → Security & Privacy → Security Update and check that the “Android security update” date reads 2026-03-05 or newer.
Leave a Reply