Overview
- Google’s March bulletin ships two patch levels—2026-03-01 with 63 fixes and 2026-03-05 with 66—with the zero-day addressed in the latter.
- CVE-2026-21385 is a buffer over-read and integer overflow in an open-source Qualcomm graphics/display component that causes memory corruption.
- Qualcomm says 234 chipsets are affected, with fixes made available to customers in January and OEM notifications sent on February 2.
- Google reported the flaw to Qualcomm on December 18, 2025, and public disclosure with patches followed on March 2, 2026.
- Qualcomm has not detailed when exploitation began or how many victims were impacted, and Google will publish related source code to AOSP as device makers roll out updates.