Google patches 129 Android security flaws

Pro
Security

Google patches 129 Android security flaws — including a potentially dangerous Qualcomm zero-day News By Sead Fadilpašić published 3 March 2026

One of the bugs was exploited in the wild

When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works.

(Image credit: Shutterstock / tomeqs)

Copy link
Facebook
X
Whatsapp
Reddit
Pinterest
Flipboard
Threads
Email

Share this article 0 Join the conversation Follow us Add us as a preferred source on Google Newsletter Tech Radar Get the TechRadar Newsletter

Contact me with news and offers from other Future brands Receive email from us on behalf of our trusted partners or sponsors By submitting your information you agree to the Terms & Conditions and Privacy Policy and are aged 16 or over.

You are now subscribed

Your newsletter sign-up was successful

An account already exists for this email address, please log in. Subscribe to our newsletter

Google released March 2026 Android update fixing 129 flaws
Includes 10 critical bugs and CVE-2026-21385 (7.8/10), exploited in the wild across 235 Qualcomm chipsets
Two patch levels (2026-03-01, 2026-03-05) issued; Pixel devices patched first, OEM rollout expected later

Google has released a new security update which fixed 129 vulnerabilities in the Android ecosystem, including 10 critical-severity bugs, and one high-severity issue apparently being exploited in the wild.

In a security advisory, Google said that it fixed a buffer over-read vulnerability in the Graphics component (an open-source Qualcomm module). The bug, tracked as CVE-2026-21385, was given a severity score of 7.8/10.

"Memory corruption when adding user-supplied data without checking available buffer space," Qualcomm said in a separate advisory.

Two sets of patches

This bug, Google said, was used in real-life attacks: “There are indications that CVE-2026-21385 may be under limited, targeted exploitation,” it said. Other details were not shared. Qualcomm said the bug was first spotted on December 18, while the customers were notified on February 2. It affects 235 chipsets.

Google also addressed 10 vulnerabilities across System, Framework, and Kernel components, that were all labeled as critical, and could theoretically be used in remote code execution attacks, privilege escalation attacks, and DoS attacks.

"The most severe of these issues is a critical security vulnerability in the System component that could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation," Google stressed.

To fix the flaws, the company released two separate patches - 2026-03-01 and 2026-03-05. The second one contains a fix for all 129 bugs, as well as fixed for closed-source third-party and kernel subcomponents.

Are you a pro? Subscribe to our newsletterContact me with news and offers from other Future brandsReceive email from us on behalf of our trusted partners or sponsorsBy submitting your information you agree to the Terms & Conditions and Privacy Policy and are aged 16 or over.

Given the fragmentation of the Android ecosystem, it might take a while before most devices are patched. OEMs, such as Samsung, OnePlus, or Xiaomi, now need to take these patches and work them into their products and patch cadence. Pixel devices are expected to receive these patches first, since they are directly a Google product.

The best antivirus for all budgetsOur top picks, based on real-world testing and comparisons

➡️ Read our full guide to the best antivirus1. Best overall:Bitdefender Total Security2. Best for families:Norton 360 with LifeLock3. Best for mobile:McAfee Mobile Security

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

TOPICS Google Sead FadilpašićSocial Links Navigation

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.

Logout Read more Google Chrome app is seen on an iPhone next to Edge and other web browser apps. Microsoft is using new prompts in Edge to try and stop users from downloading Chrome.

Google Chrome app is seen on an iPhone next to Edge and other web browser apps. Microsoft is using new prompts in Edge to try and stop users from downloading Chrome.

Google patches first Chrome zero-day of the year - so update now or face attack Fingertip pressing keyboard key with Windows logo on it

Microsoft issues patches for 56 security flaws - all 'important' severity or above Google Chrome app is seen on an iPhone next to Edge and other web browser apps. Microsoft is using new prompts in Edge to try and stop users from downloading Chrome.

Google releases emergency fix for yet another zero-day A person holding an iPhone running iOS 26.

Apple fixes dangerous zero-day flaw affecting macOS, iOS and more - update now to avoid 'extremely sophisticated attack' A person holding an iPhone running iOS 26.

Apple says it fixed zero-day flaws used for 'sophisticated' attacks Cybersecurity ensures data protection on internet. Data encryption, firewall, encrypted network, VPN, secure access and authentication defend against malware, hacking, cyber crime and digital threat

Cybersecurity ensures data protection on internet. Data encryption, firewall, encrypted network, VPN, secure access and authentication defend against malware, hacking, cyber crime and digital threat

Three critical vulnerabilities patched by SAP - here's what we know Latest in Security U.S. Immigration and Customs Enforcement website. The ICE is a federal law enforcement agency under the U.S. Department of Homeland Security.

U.S. Immigration and Customs Enforcement website. The ICE is a federal law enforcement agency under the U.S. Department of Homeland Security.

‘I can think of a couple Pretti Good reasons!’: Hacktivists may have just cracked open ICE and exposed over 6,000 companies working with the DHS A stylized depiction of a padlocked WiFi symbol sitting in the centre of an interlocking vault.

A stylized depiction of a padlocked WiFi symbol sitting in the centre of an interlocking vault.

This new phishing campaign uses a fake Google Account security page to steal passcodes and more A fish hook is lying across a computer keyboard, representing a phishing attack on a computer system

A fish hook is lying across a computer keyboard, representing a phishing attack on a computer system

Microsoft warns of OAuth phishing campaigns able to bypass email and browser defenses - says 'these campaigns demonstrate that this abuse is operational, not theoretical' Perplexity Comet Mobile

'The attack requires no exploit, no user clicks, and no explicit request for sensitive actions': Experts say Perplexity's AI Comet browser can be hijacked to steal your passwords Hacker Dark Web

Hackers hijack .arpa domain for phishing scams — hosting malicious websites and domains where no one can spot them Hacker

Cybercriminals are hiring women for more authentic social engineering scams — and are promising up to $1,000 per call Latest in News Intel Clearwater Forest Xeon 6+ processors

Intel Clearwater Forest Xeon 6+ processors

“AI in networks isn’t CPU vs. GPU”: Intel unveils 18A-based Clearwater Forest Xeon 6+ for edge AI and early 6G infrastructure Screenshot from the upcoming life-sim game Pokémon Pokopia

Screenshot from the upcoming life-sim game Pokémon Pokopia

Pokémon Pokopia is the highest-rated Pokémon game since X/Y on Metacritic, and it's not even out on Nintendo Switch 2 yet Grave Seasons screenshot showing the playable character picking vegetables from their garden

Grave Seasons screenshot showing the playable character picking vegetables from their garden

Blue Prince just got a Switch 2 release date, alongside 17 more game announcements — here are the top 3 games from the latest Indie World Showcase coming to the Switch consoles that I'm most excited for For All Mankind season 5 2026 and $50 streaming deal

For All Mankind season 5 2026 and $50 streaming deal

Get up to $50 to watch For All Mankind season 5 with this stellar VPN deal

OnePlus 15T’s thin bezels are a boring upgrade, so wait for the OnePlus 16 Apple Studio Display XDR

Apple just dropped the next-gen Studio Display and Studio Display XDR — here's what's new LATEST ARTICLES

1Google patches 129 Android security flaws — including a potentially dangerous Qualcomm zero-day
2I can't believe I'm saying this, but a more expensive MacBook Air M5 is wonderful news — here's why
3Pokémon Pokopia is the highest-rated Pokémon game since X/Y on Metacritic, and it's not even out on Nintendo Switch 2 yet
4“AI in networks isn’t CPU vs. GPU”: Intel unveils 18A-based Clearwater Forest Xeon 6+ for edge AI and early 6G infrastructure
5After more than eight months with the Nintendo Switch 2, I still can’t get over this one performance upgrade — and it's got nothing to do with visuals or framerate

Google patches 129 Android security flaws — including a potentially dangerous Qualcomm zero-day

Two sets of patches

Related Articles

OnePlus’s next compact phone is getting a big camera upgrade

Scientists crack the code to using DNA like a computer hard drive

After ChatGPT and Gemini, Meta AI wants to go shopping for you