Google patches 129 Android vulnerabilities, flags Qualcomm zero-day exploitation

Google released its March 2026 Android Security Bulletin, distributing two patch levels that together address 129 vulnerabilities across the Android ecosystem and flag a Qualcomm display and graphics zero-day as being exploited in the wild. The company split the fixes into patch level 2026-03-01 for core platform issues and 2026-03-05 to cover hardware-specific, closed-source and vendor components; the latter contains fixes for the full set of 129 bugs.

The standout entry is CVE-2026-21385, a memory-corruption flaw in a Qualcomm Display/Graphics component described by vendors as an integer overflow or buffer over-read that can be triggered by malformed input. Google warned of "limited, targeted exploitation in the wild." Qualcomm wrote that the bug is caused by "memory corruption when adding user-supplied data without checking available buffer space." The company says the flaw affects some 235 Qualcomm chipsets and that it reported the issue to the Android security team on Dec. 18, 2025, before notifying customers on Feb. 2, 2026.

Beyond the Qualcomm zero-day, the bulletin includes multiple high- and critical-severity bugs in System, Framework and Kernel components. Google’s advisory highlights a System vulnerability that could lead to remote code execution "with no additional execution privileges needed" and that "user interaction is not needed for exploitation." Security reporting notes the release also patches a cluster of critical escalation-of-privilege and memory-corruption issues across the kernel and virtualization stacks.

Representative CVEs called out in monthly summaries include CVE-2026-0006 (System, remote code execution, critical), CVE-2025-48631 (System, denial of service, critical), CVE-2026-0047 (Framework, escalation of privilege, critical), and kernel/virtualization fixes such as CVE-2024-43859 (Flash-Friendly File System, escalation of privilege), CVE-2026-0037 (pKVM, escalation of privilege) and CVE-2026-0038 (hypervisor, escalation of privilege). Vendor and hardware fixes beyond Qualcomm span Arm Mali GPU code, MediaTek, Imagination Technologies, Unisoc and other third-party components, with some OEM-specific protections tied to vendor images such as vbmeta.

Google’s two-tier rollout means Pixel phones, which receive Google-managed patches immediately, will be updated first. Other manufacturers including Samsung, Xiaomi, OnePlus and Motorola must incorporate Google’s changes into their own firmware builds; that staggered cadence leaves many devices exposed until vendors push the 2026-03-05 or equivalent updates. Because several of the corrected vulnerabilities allow code execution without user action, security experts say the timetable for OEM rollouts is the key determinant of ongoing risk.

For now, users should install updates as soon as their device maker issues them and keep Play Protect app scanning enabled. Security teams managing fleets should prioritize devices on affected Qualcomm chipsets until vendor patches are deployed and verify update levels show 2026-03-05 or later where applicable.

The scale of the bulletin — 129 fixes in a single month — underscores continuing pressure on the Android supply chain to close holes in both open-source platform code and a widening set of closed-source vendor components. Google’s split patch levels aim to speed core platform fixes while allowing vendors time to integrate hardware-specific repairs, but the real-world protection for most users will hinge on how quickly OEMs and carriers deliver those builds.