Overview
- CVE-2026-21385 is a high-severity memory corruption bug in an open-source Qualcomm graphics/display component affecting more than 230 chipsets, described as an integer overflow or wraparound.
- Google says the flaw is under limited, targeted exploitation, and Qualcomm has flagged it as exploited, though Google has not shared details of attack activity.
- March’s bulletin ships in two patch levels (2026-03-01 and 2026-03-05), with the latter bundling kernel and third‑party vendor fixes, including Qualcomm components.
- Beyond the zero-day, Google fixed critical issues such as a System remote code execution bug (CVE-2026-0006) that requires no user interaction, plus multiple kernel vulnerabilities impacting pKVM and the hypervisor.
- Google reported the Qualcomm flaw on December 18, 2025, Qualcomm notified customers on February 2, and updates now depend on OEM and carrier rollouts, with Pixel receiving patches immediately.