With its latest security bulletin, Google has taken steps to address a broad range of Android vulnerabilities, releasing patches for 129 vulnerabilities spanning core platform components and third party modules.
These vulnerabilities include ten that are rated critical, and one that is believed to have been exploited outside of controlled environments. Thus, the persistent pressure on mobile infrastructure is evident.
CVE-2026-21385, a buffer over-read vulnerability related to an open-source Qualcomm module, was central to the update.
The vulnerability has a severity score of 7.8 and is tracked as CVE-2026-21385. Input from a user is improperly handled without the possibility of verifying buffer space, which may result in memory corruption under certain circumstances.
This advisory describes a vulnerability identified as CVE-2026-21385, which has a CVSS score of 7.8 and has been categorized as a buffer overread within the Graphics component.
Qualcomm describes the vulnerability as an integer overflow that may result in memory corruption if user supplied data is appended without adequately validating the buffer space available.
As stated by the chipmaker, the flaw was originally reported to Google’s Android Security team on December 18, 2025, and downstream customers were notified on February 2, 2026 as a result.
Even though Google has not disclosed technical information about actual real-world exploitation, it has acknowledged evidence of limited and targeted abuses, suggesting that this vulnerability may have been exploited in controlled attack scenarios rather than indiscriminate attacks.
It is noteworthy that the March 2026 Android security update includes a comprehensive remediation effort that addresses 129 vulnerabilities across the entire system layer in addition to Qualcomm’s defect. Furthermore, it contains a critical remote code execution vulnerability in the System component, identified as CVE-2026-0006, that can be exploited without requiring additional user interaction or additional privileges—a significantly increased risk profile.
Further, the update resolves the CVE-2026-0047 privilege escalation issue in the Framework component, the CVE-2025-48631 denial-of-service condition in the System module, and seven individual privilege escalation vulnerabilities in Kernel components.
The vulnerabilities are identified as CVE-2024-43859, CVE-2026-0037, CVE-2026-0038, CVE-2026-0027, CVE-2026-0028, CVE-2026-0030, and CVE-2026-0031 identifiers.
Due to the fragmented device ecosystem, Google retains its dual patch-level structure – 2026-03-01 and 2026-03-05 – so that original equipment manufacturers and silicon partners can deploy patches according to their deployment cycle.
In addition to updating Android kernel components, this patch level also includes updates for third-party silicon and GPU vendors, such as Arm, Imagination Technologies, MediaTek, Qualcomm, and Unisoc, emphasizing the complexity of modern security governance mechanisms.
Even though Google has not disclosed operational details regarding the observed activity, vulnerabilities of this nature have traditionally been of interest to commercial surveillance vendors as well as other actors capable of exploiting memory-handling vulnerabilities to gain covert access to data. A mitigation for CVE-2026-21385 has been included in the se
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
This article has been indexed from CySecurity News – Latest Information Security and Hacking Incidents
Read the original article: