Google disclosed CVE-2026-21385 in its March 2026 Android security bulletin. The vulnerability affects Qualcomm components in Android devices and is actively exploited in limited, targeted attacks.
Qualcomm was notified December 18, 2025. Customers received notification February 2, 2026. Public disclosure March 2026.
What It Does
Vulnerability in Qualcomm chipset components allows exploitation leading to compromise of Android devices. Specific technical details remain limited to prevent widespread exploitation.
Google statement: "There are indications that CVE-2026-21385 may be under limited, targeted exploitation."
Limited targeting suggests sophisticated threat actors using this against specific high-value targets, not mass exploitation.
Who's Affected
Android devices using Qualcomm chipsets. This affects hundreds of millions of devices globally.
Check your device:
- Settings > About phone > Android version
- If you're not on March 2026 security patch or later, you're vulnerable
Qualcomm chipsets affected: Specific chipset models not publicly disclosed to limit attacker information.
March 2026 Android Security Update
Google's March update patches 129 vulnerabilities total, including CVE-2026-21385.
Other critical issues fixed:
CVE-2026-0006: Remote code execution in System component (CVSS 9.8)
- No privileges required
- No user interaction needed
- Most severe issue in this update
CVE-2026-0047: Privilege escalation in Framework
CVE-2025-48631: Denial of service in System
Seven privilege escalation flaws in Kernel components
This is significantly higher than recent months. Google addressed one Android vulnerability in January 2026 and zero in February 2026.
Patch Now
Action required: Install March 2026 Android security update immediately.
How to check:
- Settings > System > System update
- Check for updates
- Verify security patch level shows "March 2026" or later
If update not available:
- Check with device manufacturer
- Some devices receive updates on delayed schedule
- Older devices may not receive this patch
Why Targeted Exploitation Matters
"Limited, targeted exploitation" means:
- Not widespread attacks
- Sophisticated threat actors
- Specific high-value targets
- Zero-day capability before patch
Likely targets:
- Government officials
- Journalists
- Activists
- Corporate executives
- High-value individuals
Threat actors with these capabilities:
- Nation-state APT groups
- Commercial spyware vendors
- Well-funded criminal organizations
The Qualcomm Supply Chain
Qualcomm chipsets power majority of Android devices globally. Vulnerability in Qualcomm components affects hundreds of device manufacturers:
- Samsung
- Google Pixel
- OnePlus
- Xiaomi
- Motorola
- Many others
One vulnerability, massive impact surface.
Android Patching Reality
Flagship devices: Usually receive updates within days of Google release.
Mid-range devices: Updates arrive weeks to months later.
Budget devices: May never receive this patch.
Older devices: No longer supported, permanently vulnerable.
This is Android's fundamental security challenge. Google patches quickly. Manufacturers and carriers delay deployment. Users stuck waiting.
Check for Compromise
If you're a high-value target and update was delayed, check for:
- Unexpected battery drain
- Unusual network activity
- Apps you didn't install
- Permission changes you didn't make
- Unfamiliar processes running
Mobile device forensics requires specialized tools. If compromise suspected, contact security professionals.
Bottom Line
CVE-2026-21385 is Qualcomm vulnerability in Android devices under active targeted exploitation.
Install March 2026 Android security update immediately. Verify your security patch level shows March 2026 or later.
If your device doesn't receive updates, consider upgrading to supported device. Unpatched vulnerabilities accumulate, security degrades over time.
Priority: High for all Android users, Critical for high-value targets.
---
Sources:
- Google Android Security Bulletin March 2026
- Qualcomm Security Bulletin
- Android vulnerability tracking