Android Update Patches Exploited Qualcomm Zero-Day

Google on Monday announced the rollout of new Android security updates containing patches for nearly 130 vulnerabilities, including an exploited zero-day.

The exploited flaw, tracked as CVE-2026-21385 (CVSS score of 7.8) and impacting the graphics component of over 200 Qualcomm chipsets, is described as an integer overflow or wraparound issue leading to memory corruption while using alignments for memory allocation.

According to Jamf senior enterprise strategy manager Adam Boynton, the successful exploitation of the weakness could allow attackers to “bypass security controls and gain unauthorised control over the system”.

According to Qualcomm’s advisory, the bug was reported on December 18, 2025, through the Google Android Security team. The chip maker notified its customers of CVE-2026-21385 on February 2 and disclosed the security defect on Monday.

“There are indications that CVE-2026-21385 may be under limited, targeted exploitation,” Google notes in Android’s March 2026 security bulletin.

The company has ...