- Google released March 2026 Android update fixing 129 flaws
- Includes 10 critical bugs and CVE-2026-21385 (7.8/10), exploited in the wild across 235 Qualcomm chipsets
- Two patch levels (2026-03-01, 2026-03-05) issued; Pixel devices patched first, OEM rollout expected later
Google has released a new security update which fixed 129 vulnerabilities in the Android ecosystem, including 10 critical-severity bugs, and one high-severity issue apparently being exploited in the wild.
In a security advisory, Google said that it fixed a buffer over-read vulnerability in the Graphics component (an open-source Qualcomm module). The bug, tracked as CVE-2026-21385, was given a severity score of 7.8/10.
"Memory corruption when adding user-supplied data without checking available buffer space," Qualcomm said in a separate advisory.
Two sets of patches
This bug, Google said, was used in real-life attacks: “There are indications that CVE-2026-21385 may be under limited, targeted exploitation,” it said. Other details were not shared. Qualcomm said the bug was first spotted on December 18, while the customers were notified on February 2. It affects 235 chipsets.
Google also addressed 10 vulnerabilities across System, Framework, and Kernel components, that were all labeled as critical, and could theoretically be used in remote code execution attacks, privilege escalation attacks, and DoS attacks.
"The most severe of these issues is a critical security vulnerability in the System component that could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation," Google stressed.
To fix the flaws, the company released two separate patches - 2026-03-01 and 2026-03-05. The second one contains a fix for all 129 bugs, as well as fixed for closed-source third-party and kernel subcomponents.
Given the fragmentation of the Android ecosystem, it might take a while before most devices are patched. OEMs, such as Samsung, OnePlus, or Xiaomi, now need to take these patches and work them into their products and patch cadence. Pixel devices are expected to receive these patches first, since they are directly a Google product.
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
