top of page
Search

Google Warns of Actively Exploited Qualcomm Zero-Day in Android

  • Mar 3
  • 2 min read

Key Findings


  • Google disclosed that a high-severity vulnerability, CVE-2026-21385 (CVSS score: 7.8), affecting an open-source Qualcomm component used in Android devices has been actively exploited.

  • The vulnerability is a buffer over-read in the Graphics component, described by Qualcomm as "memory corruption when adding user-supplied data without checking available buffer space" and an integer overflow.

  • Google acknowledged "there are indications that CVE-2026-21385 may be under limited, targeted exploitation."

  • Qualcomm notified customers of the vulnerability on February 2, 2026, about 10 weeks after it was reported to them by Google's Android Security team on December 18, 2025.


Background


The vulnerability in question, CVE-2026-21385, was discovered by Google's Threat Analysis Group and reported to Qualcomm through the Android Security team. Qualcomm subsequently released an advisory describing the issue as a buffer over-read in the Graphics component, which it characterized as "memory corruption when adding user-supplied data without checking available buffer space" and an integer overflow.


Vulnerability Details


  • CVE-2026-21385 is a high-severity vulnerability (CVSS score: 7.8) in an open-source Qualcomm component used in Android devices.

  • It is a buffer over-read issue in the Graphics component, leading to memory corruption.

  • Qualcomm said the flaw was an integer overflow problem caused by adding user-supplied data without properly checking available buffer space.


Exploitation and Impact


  • Google acknowledged that "there are indications that CVE-2026-21385 may be under limited, targeted exploitation."

  • However, Qualcomm and Google did not provide details on how the vulnerability is being exploited in the wild, the number of victims, or the earliest known instance of exploitation.


Vendor Response


  • Qualcomm was notified of the vulnerability by Google's Android Security team on December 18, 2025.

  • Qualcomm notified customers of the security defect on February 2, 2026, about 10 weeks after the initial report.

  • Google's March 2026 Android security update contains patches for CVE-2026-21385 and a total of 129 vulnerabilities.


Conclusion


Google's disclosure of the actively exploited CVE-2026-21385 vulnerability in an open-source Qualcomm component used in Android devices highlights the ongoing security challenges faced by the Android ecosystem. The delay between the initial reporting and public disclosure of the flaw raises concerns about the coordinated vulnerability management process between Google and its hardware partners.


Sources


  • https://thehackernews.com/2026/03/google-confirms-cve-2026-21385-in.html

  • https://cyberscoop.com/android-security-update-march-2026/

  • https://securityaffairs.com/188823/security/android-devices-hit-by-exploited-qualcomm-flaw-cve-2026-21385.html

  • https://bulletproofservers.hk/blog/google-warns-of-actively-exploited-qualcomm-zero-day-in-android-devices/

Recent Posts

See All

Comments

  • Youtube

© 2025 by Explain IT Again. Powered and secured by Wix

bottom of page