Google patches 129 Android vulnerabilities, including exploited zero-day

Google has released security updates to address 129 vulnerabilities affecting the Android operating system. Among these is a zero-day flaw in a Qualcomm display component that shows signs of limited, targeted exploitation, according to a recent report by Bleeping Computer.

The critical vulnerability, identified as CVE-2026-21385, is an integer overflow in a Qualcomm graphics subcomponent that could allow local attackers to cause memory corruption. Qualcomm disclosed that this flaw affects 235 chipsets and was alerted to it in December. Google's March security bulletin also includes fixes for 10 critical vulnerabilities in System, Framework, and Kernel components, some of which could lead to remote code execution without user interaction or additional privileges.

Google provided two patch levels: March 1 and March 5, with the latter including fixes for closed-source components. While Google Pixel devices receive immediate updates, the staggered rollout by other manufacturers means many users may remain vulnerable for an extended period.

Source: Bleeping Computer