An actively exploited zero-day affecting 234 Qualcomm chipsets headlines the March update, which patches 129 total flaws in the largest single-month batch since April 2018.
Google disclosed Monday that CVE-2026-21385 (CVSS score: 7.8), a high-severity buffer over-read flaw in Qualcomm's graphics component, "may be under limited, targeted exploitation." The memory corruption issue allows attackers to add user-supplied data without checking available buffer space, creating an integer overflow condition.
The chipmaker received the vulnerability report from Google's Android Security team on December 18, 2025 and notified customers on February 2, 2026. The company declined to specify when exploitation began or how many devices were affected during the ten-week gap between reporting and public disclosure.
"This is the highest number of Android vulnerabilities patched in a single month since April 2018,"
according to security researchers tracking the update cadence. The company addressed just one flaw in January and none in February, following an uneven disclosure pattern throughout 2025 that included months with zero reported issues.
The March security bulletin includes two patch levels, 2026-03-01 and 2026-03-05, giving device manufacturers flexibility to address common flaws across different hardware configurations. The primary update contains 63 issues across framework, system, and Google Play components, while the secondary patch addresses another 66 including kernel problems and defects from Arm, Imagination Technologies, MediaTek, Qualcomm, and Unisoc.
Alongside critical fixes, the March system updates introduce modest feature improvements through Google Play services v26.08 and Google Play Store v50.4. The Play Store now surfaces app recommendations through short-form video content on phones, while Play Services receives privacy-focused system management updates across Auto, PC, Phone, TV, and Wear OS platforms.
"We commend the researchers from Google's Threat Analysis Group for using coordinated disclosure practices,"
a Qualcomm spokesperson said. "Fixes were made available to our customers in January 2026." The company emphasized its focus on high-risk flaws despite fluctuating monthly totals. Two other zero-days (CVE-2025-48633 and CVE-2025-48572) patched in December were also under limited, targeted exploitation.
"Android stops most vulnerability exploitation at the source with extensive platform hardening,"
a company spokesperson noted in December. Memory-safe language implementations like Rust remain a priority while addressing the most dangerous issues first.
Source code for all March vulnerabilities will be available in the Android Open Source Project repository by Wednesday, marking the first time since April 2018 that a single monthly update addresses over 125 flaws.
