Google disclosed one actively exploited zero-day vulnerability Monday, warning that the high-severity defect affecting an open-source Qualcomm display component for Android devices “may be under limited, targeted exploitation.”
The memory-corruption vulnerability — CVE-2026-21385 — which Google’s Android security team reported to Qualcomm Dec. 18, affects 234 chipsets, Qualcomm said in a security bulletin. Qualcomm said it notified customers of the vulnerability Feb. 2.
Qualcomm declined to say when the earliest known instance of exploitation occurred, how many victims have been directly impacted, and what occurred during the 10-week period between the reporting and public disclosure of the vulnerability.
“We commend the researchers from Google’s Threat Analysis Group for using coordinated disclosure practices,” a Qualcomm spokesperson told CyberScoop. “Fixes were made available to our customers in January 2026. We encourage end users to apply security updates as they become available from device makers.”
A Google spokesperson said Qualcomm marked the vulnerability as exploited. “We don’t have any info or access to the exploit reports,” the spokesperson added.
Google addressed 129 defects in its monthly security update for Android devices, reflecting a surge in vulnerability disclosures from the vendor. The company’s latest security update contains the highest number of Android vulnerabilities patched in a single month since April 2018.
Google’s public vulnerability disclosure and reporting program for Android has been uneven. The company typically issued dozens of security patches each month, but that cadence has shifted to a more occasional routine.
So far this year, Google addressed one Android vulnerability in January and none in February. There were occasional lulls last year as well when Google reported no vulnerabilities in July and October, six in August and two vulnerabilities in November. Yet, disclosures for 2025 peaked with 120 defects in September and rebounded again in December with 107 vulnerabilities, including two zero-days.
Google previously responded to questions about dips in the amount of vulnerabilities it discloses each month, noting that it remains focused on defects that pose the greatest danger.
“Android stops most vulnerability exploitation at the source with extensive platform hardening, like our use of the memory-safe language Rust and advanced anti-exploitation protections,” a Google spokesperson said in December. “Android and Pixel continuously address known security vulnerabilities and prioritize fixing and patching the highest-risk ones first.”
The Android security bulletin for March includes two patch levels — 2026-03-01 and 2026-03-05 — allowing Android partners to address common vulnerabilities on different devices. Android device manufacturers release security patches on their own schedule after they’ve customized operating system updates for their specific hardware.
The primary security update contains 63 vulnerabilities, including 32 in the framework, 19 in the system and 12 affecting Google Play. Nearly half of those vulnerabilities have CVE identifiers from 2025.
The second patch addresses 66 vulnerabilities, including 15 vulnerabilities affecting the kernel, one Arm component defect, seven Imagination Technologies flaws and seven vulnerabilities in Unisoc components.
The second patch level also contains fixes for eight vulnerabilities in closed-source Qualcomm components and seven high-severity defects in open-source Qualcomm components, including CVE-2026-21385.
Google said source code for all vulnerabilities addressed in this month’s Android security bulletin will be released to the Android Open Source Project repository by Wednesday.
The post Google addresses actively exploited Qualcomm zero-day in fresh batch of 129 Android vulnerabilities appeared first on CyberScoop.
The company’s latest security update contains the highest number of Android vulnerabilities patched in a single month since April 2018.
The post Google addresses actively exploited Qualcomm zero-day in fresh batch of 129 Android vulnerabilities appeared first on CyberScoop. Read MoreCyberScoop
