- Google released a March 2026 Android update fixing 129 flaws
- Includes 10 critical bugs and CVE-2026-21385 (7.8/10), exploited in the wild on 235 Qualcomm chipsets
- Two patch levels (2026-03-01, 2026-03-05) released; Pixel devices patched first, OEM rollout expected later
Google has released a new security update that fixes 129 vulnerabilities in the Android ecosystem, including 10 critical severity bugs and one high severity issue apparently exploited in the wild.
In a security advisory, Google said it fixed a buffer overread vulnerability in the Graphics component (an open source Qualcomm module). The bug, tracked as CVE-2026-21385, received a severity score of 7.8/10.
“Memory corruption when adding user-supplied data without checking available buffer space,” Qualcomm said in a separate advisory.
Two sets of fixes
This bug, Google said, has been used in real-world attacks: “There are indications that CVE-2026-21385 could be exploited in a limited and targeted way,” it said. Other details were not shared. Qualcomm said the bug was first spotted on December 18, while customers were notified of it on February 2. It affects 235 chipsets.
Google also fixed 10 vulnerabilities in the system, framework, and kernel components, all of which were rated critical and could theoretically be used in remote code execution attacks, privilege escalation attacks, and DoS attacks.
“The most serious of these issues is a critical security vulnerability in the system component that could lead to remote code execution without additional execution privileges needed. User interaction is not required for exploitation,” Google emphasized.
To fix the flaws, the company released two separate patches: 2026-03-01 and 2026-03-05. The second contains a fix for all 129 bugs, as well as fixes for third-party and closed-source kernel subcomponents.
Given the fragmentation of the Android ecosystem, it may be a while before most devices are patched. OEMs, such as Samsung, OnePlus or Xiaomi, must now integrate these fixes and integrate them into their products and their update cadence. Pixel devices should receive these fixes first, as they are directly a Google product.
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
