Zero day failure in Qualcomm Android threat and Google issues patches for 129 vulnerabilities

Google has published a package of Android security patches that fixes 129 vulnerabilities, including a zero-day failure that already appears to be being used in targeted attacks and that affects a visualization component in Qualcomm chips. You can check the official Google newsletter with the details of the corrections on the Android security page: Android Security Bulletin (2026-03-01).

In his notice, Google warns that there are signs of limited and directed exploitation of the failure identified as CVE-2026-21385, without providing further details about the specific campaigns. When a manufacturer indicates possible active operation, the immediate recommendation is to prioritize the update; such notice should not be taken lightly because it often indicates that malicious actors already found a practical way to take advantage of vulnerability.

Qualcomm, for its part, published a technical notification describing the problem as an overflow or "wallover" of integers in the graphic subcomponent, an error that can lead to memory corruption if it is properly manipulated by a local attacker. The Qualcomm technical release, with more context and the list of affected chips, is available here: Qualcomm Security Bulletin - March 2026 and the record of the arrangement in the open source repository that corrects it can be found in the public commission: correction commitment. Qualcomm's notice indicates that the defect impacts more than two hundred models of chipset, a figure that highlights the potential scope of the threat.

For those who want to see the technical data sheet of the failure in vulnerability databases, there is a record in the national vulnerability database of the US. United States.: CVE-2026-21385 - NVD. This entry is useful for administrators who prioritize patches according to CVSS and other metadata.

In addition to the problem in Qualcomm, Google arranged this month ten vulnerabilities rated as critical in components such as System, Framework and Kernel, which can allow from remote code execution to privilege escalation or service denial. In some cases, Google points out that the operation does not require user interaction, which increases the risk because a vulnerable device can be compromised without its owner clicking on anything. Google published two patching levels: the one corresponding to 2026-03-01 and a second delivery with 2026-03-05, the latter being the one which also includes corrections for third-party components and closed kernel parts - that is, elements that do not always apply in the same way on all device models. The details of both deliveries are in the dedicated sections of the newsletter: 2026-03-01 and 2026-03-05.

It is important to remember that, although Google immediately publishes the patches, the arrival of the update to your phone depends on the manufacturer and the operator. Pixel mobile phones often receive patches directly and quickly, but other manufacturers need time to integrate and validate the fixes with their hardware, so there are delays that can last days or weeks. For companies and users with critical devices, this makes patch management a priority and often an operational risk if it is not acted on quickly.

What does "integer overflow" technically mean in this context? In a simple way, it occurs when an arithmetic operation exceeds the capacity of the type of data reserved for a value and the result is wrapped or dropped out of the expected limits. In low-level software, especially in graphic or kernel controllers, that behavior can corrupt memory and allow unauthorized code to run or the system to become unstable. In the reported case, Qualcomm indicates that vulnerability can be exploited locally to achieve memory corruption, opening the door to more complex attacks.

Google has already corrected similar failures in previous months: in December last year, two days of high severity were parked that also showed signs of targeted exploitation, which shows a worrying trend: attackers continue to find and use vulnerabilities in system components and drivers before the patches reach all devices.

If you have an Android phone, the sensible thing is to check immediately if there are updates available in the system settings and apply them. Updating the operating system and security patches is the most effective defense against this type of known failures. If your device does not yet display the patch, check the manufacturer's support page or the update forum for your model and consider mitigation measures in the meantime: avoid installing apps outside of official stores, limit app permissions with access to sensitive functions, and make regular backup of your important data.

For IT administrators and security officials, it is appropriate to first identify the devices with affected Qualcomm chipsets and prioritize their parking, as well as monitor the log for operating signs and keep the EDR / antimalware solutions up-to-date. In corporate environments, coordination with suppliers and application of patches in controlled maintenance windows will reduce exposure without interrupting critical operations.

Finally, while there is limited public information on specific campaigns on this occasion, the convergence of a Google notice and the Qualcomm newsletter and the presence of the CVE on bases such as NVD facilitate risk assessment and mitigation planning. If you want to go into the original sources, check the Android newsletter mentioned above and the Qualcomm technical notice, which contains the formal data and lists of affected components: Android Security Bulletin, Qualcomm March 2026 Bulletin and the entry of vulnerability into the NVD: CVE-2026-21385 - NVD. Keeping informed and applying updates is, today, the best practice to keep your device safe.