Google patches 129 Android security flaws — including a potentially dangerous Qualcomm zero-day

• Google released March 2026 Android update fixing 129 flaws
• Includes 10 critical bugs and CVE-2026-21385 (7.8/10), exploited in the wild across 235 Qualcomm chipsets
• Two patch levels (2026-03-01, 2026-03-05) issued; Pixel devices patched first, OEM rollout expected later

Google has released a new security update which fixed 129 vulnerabilities in the Android ecosystem, including 10 critical-severity bugs, and one high-severity issue apparently being exploited in the wild.

In a security advisory, Google said that it fixed a buffer over-read vulnerability in the Graphics component (an open-source Qualcomm module). The bug, tracked as CVE-2026-21385, was given a severity score of 7.8/10.

"Memory corruption when adding user-supplied data without checking available buffer space," Qualcomm said in a separate advisory.