Which devices are affected by CVE-2026-21385?

The vulnerability affects 234 Qualcomm chipsets, impacting a wide range of Android devices.

How can users protect their devices from CVE-2026-21385?

Users should apply the March 2026 security patch promptly to mitigate the risks associated with this vulnerability.

Android 2026 Security Update: Addressing CVE-2026-21385 in Qualcomm Components

Google's March 2026 security update fixes 129 vulnerabilities, including the actively exploited CVE-2026-21385 in Qualcomm's display component.

Published: March 3, 2026

Share this on:

Executive Summary

In March 2026, Google released a security update addressing 129 vulnerabilities in Android devices, notably CVE-2026-21385—a high-severity flaw in Qualcomm's display component. This vulnerability, an integer overflow leading to memory corruption, was reported by Google's Android Security team on December 18, 2025, and has been confirmed to be under limited, targeted exploitation in the wild. The flaw affects 234 Qualcomm chipsets, spanning a wide range of devices. (cyberscoop.com)

The active exploitation of CVE-2026-21385 underscores the critical need for timely security updates. Organizations and individuals using affected devices should prioritize applying the March 2026 security patch to mitigate potential risks associated with this vulnerability. (cyberscoop.com)

Why This Matters Now

The active exploitation of CVE-2026-21385 highlights the urgency for users to apply the March 2026 security patch promptly to protect their devices from potential attacks.

Attack Path Analysis

An attacker exploits CVE-2026-21385, a buffer over-read vulnerability in Qualcomm's graphics component, to achieve initial compromise. This leads to privilege escalation, allowing the attacker to gain higher-level access. The attacker then moves laterally within the device, potentially accessing other components or data. Establishing command and control, the attacker communicates with external servers to receive instructions or exfiltrate data. Data exfiltration occurs as sensitive information is transmitted out of the device. Finally, the attacker may cause impact by disrupting device functionality or deploying malicious payloads.

Kill Chain Progression

Initial Compromise

High

Privilege Escalation

Mediuminferred

Lateral Movement

Lowinferred

Command & Control

Lowinferred

Exfiltration

Lowinferred

Impact

Lowinferred

Initial Compromise

Description

The attacker exploits CVE-2026-21385, a buffer over-read vulnerability in Qualcomm's graphics component, to execute arbitrary code on the device.

Confidence:

High

Related CVEs

Included CVEs with severity scores, affected products, exploit status, and reference links.

CVE-2026-21385
CVSS 7.8
A buffer over-read vulnerability in the Graphics component of Qualcomm's open-source code for Android devices, leading to memory corruption.
Affected Products:
Qualcomm Graphics Component – unspecified
Exploit Status:
exploited in the wild
References:
https://source.android.com/docs/security/bulletin/2026/2026-03-01 https://docs.qualcomm.com/securitybulletin/march-2026-bulletin.html

MITRE ATT&CK® Techniques

Techniques identified for SEO/filtering; may be expanded with full STIX/TAXII enrichment later.

Execution

T1203

Exploitation for Client Execution

Privilege Escalation

T1068

Exploitation for Privilege Escalation

Impact

T1499

Endpoint Denial of Service

Defense Evasion

T1620

Reflective Code Loading

Persistence

T1574.006

Dynamic Linker Hijacking

Potential Compliance Exposure

Mapping incident impact across multiple compliance frameworks.

PCI DSS 4.0 – Ensure all system components and software are protected from known vulnerabilities

Control ID: 6.2

The exploitation of CVE-2026-21385 indicates a failure to apply timely security patches, exposing systems to known vulnerabilities.

NYDFS 23 NYCRR 500 – Cybersecurity Policy

Control ID: 500.03

The incident suggests inadequacies in the organization's cybersecurity policy, particularly in vulnerability management and patching procedures.

DORA – ICT Risk Management Framework

Control ID: Article 5

The breach highlights deficiencies in the ICT risk management framework, failing to address and mitigate known software vulnerabilities effectively.

CISA ZTMM 2.0 – Device Security

Control ID: Pillar 3: Devices

The exploitation of a device component vulnerability underscores the need for enhanced device security measures within the zero trust architecture.

NIS2 Directive – Cybersecurity Risk Management Measures

Control ID: Article 21

The incident reveals shortcomings in implementing appropriate cybersecurity risk management measures to prevent exploitation of known vulnerabilities.

Sector Implications

Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.

Telecommunications

Android vulnerability exploitation threatens mobile network infrastructure, requiring immediate patching of Qualcomm components to prevent privilege escalation and system compromise.

Consumer Electronics

Buffer over-read vulnerability in Qualcomm graphics components exposes Android devices to targeted attacks, requiring coordinated firmware updates across manufacturers.

Health Care / Life Sciences

Mobile device compromise via CVE-2026-21385 threatens HIPAA compliance and patient data security in healthcare environments using Android-based medical systems.

Financial Services

Android vulnerability enables potential privilege escalation attacks on mobile banking platforms, requiring immediate security controls and encrypted traffic monitoring implementation.

Sources

Google Confirms CVE-2026-21385 in Qualcomm Android Component Exploitedhttps://thehackernews.com/2026/03/google-confirms-cve-2026-21385-in.html
Verified

Android Security Bulletin—March 2026https://source.android.com/docs/security/bulletin/2026/2026-03-01

Verified

Qualcomm March 2026 Security Bulletinhttps://docs.qualcomm.com/securitybulletin/march-2026-bulletin.html

Verified

Frequently Asked Questions

CVE-2026-21385 is a high-severity integer overflow vulnerability in Qualcomm's display component, leading to memory corruption and confirmed to be under limited, targeted exploitation.

Cloud Native Security Fabric Mitigations and ControlsCNSF

Aviatrix Zero Trust CNSF is pertinent to this incident as it can significantly limit the attacker's ability to move laterally, escalate privileges, and exfiltrate data by enforcing strict segmentation and identity-aware policies.

Initial Compromise

Control: Cloud Native Security Fabric (CNSF)

Mitigation: While Aviatrix CNSF may not prevent the initial exploitation, it would likely limit the attacker's subsequent actions by enforcing strict segmentation and access controls.

Privilege Escalation

Control: Zero Trust Segmentation

Mitigation: Aviatrix Zero Trust Segmentation would likely restrict the attacker's ability to escalate privileges by enforcing least-privilege access controls and isolating workloads.

Lateral Movement

Control: East-West Traffic Security

Mitigation: Aviatrix East-West Traffic Security would likely constrain the attacker's lateral movement by monitoring and controlling internal traffic flows.

Command & Control

Control: Multicloud Visibility & Control

Mitigation: Aviatrix Multicloud Visibility & Control would likely detect and restrict unauthorized outbound communications, thereby limiting command and control activities.

Exfiltration

Control: Egress Security & Policy Enforcement

Mitigation: Aviatrix Egress Security & Policy Enforcement would likely limit data exfiltration by enforcing strict egress policies and monitoring outbound traffic.

Impact (Mitigations)

While Aviatrix CNSF may not prevent the initial compromise, it would likely reduce the overall impact by limiting the attacker's ability to move laterally, escalate privileges, and exfiltrate data.

Impact at a Glance

Affected Business Functions

Mobile Device Security
User Data Protection

Operational Disruption

Estimated downtime: N/A

Financial Impact

Estimated loss: N/A

Data Exposure

Potential exposure of sensitive user data due to memory corruption.

Recommended Actions

• Implement Inline IPS (Suricata) to detect and prevent exploitation attempts of known vulnerabilities like CVE-2026-21385.
• Deploy Zero Trust Segmentation to limit lateral movement within devices and networks.
• Utilize Egress Security & Policy Enforcement to monitor and control outbound traffic, preventing unauthorized data exfiltration.
• Enhance Threat Detection & Anomaly Response capabilities to identify and respond to unusual activities promptly.
• Regularly update and patch devices to mitigate known vulnerabilities and reduce the attack surface.

Secure the Paths Between Cloud Workloads

A cloud-native security fabric that enforces Zero Trust across workload communication—reducing attack paths, compliance risk, and operational complexity.

Stop Advanced Threats Get a Free Workload Attack Path Assessment Under Active Attack?

Android 2026 Security Update: Addressing CVE-2026-21385 in Qualcomm Components

Executive Summary

Why This Matters Now

Attack Path Analysis

Kill Chain Progression

Initial Compromise

Description

Related CVEs

CVE-2026-21385

Affected Products:

Exploit Status:

References:

MITRE ATT&CK® Techniques

Exploitation for Client Execution

Exploitation for Privilege Escalation

Endpoint Denial of Service

Reflective Code Loading

Dynamic Linker Hijacking

Potential Compliance Exposure

PCI DSS 4.0 – Ensure all system components and software are protected from known vulnerabilities

NYDFS 23 NYCRR 500 – Cybersecurity Policy

DORA – ICT Risk Management Framework

CISA ZTMM 2.0 – Device Security

NIS2 Directive – Cybersecurity Risk Management Measures

Sector Implications

Telecommunications

Consumer Electronics

Health Care / Life Sciences

Financial Services

Sources

Frequently Asked Questions

Cloud Native Security Fabric Mitigations and ControlsCNSF

Impact at a Glance

Affected Business Functions

Recommended Actions

Key Takeaways & Next Steps

Secure the Paths Between Cloud Workloads