Google Confirms Exploited Qualcomm Graphics Flaw in Android
⚠ Google confirmed that CVE-2026-21385, a high-severity buffer over-read in a Qualcomm graphics component used on Android devices, has been observed exploited in the wild. Qualcomm characterizes the defect as an integer overflow that permits memory corruption when user-supplied data is written without checking buffer space. The issue (CVSS 7.8) was reported to Qualcomm by Google's Android Security team on December 18, 2025, and customers were notified on February 2, 2026. Google’s March 2026 security bulletin includes this fix among 129 patches and notes indications of limited, targeted exploitation.
