New Delhi: Google’s March 2026 Android Security Bulletin has landed, and this time, it is not just another routine patch drop. The company has fixed 129 vulnerabilities in one go, including a high-severity Qualcomm flaw that may already be under attack in the wild.
In fact, Google itself noted in its bulletin that “there are indications that CVE-2026-21385 may be under limited, targeted exploitation”. That line alone changes the mood.
Zero day alert: Qualcomm display flaw under spotlight
The vulnerability in focus is CVE-2026-21385. It affects an open-source Qualcomm display component used in Android devices. Qualcomm described it as memory corruption caused by adding user-supplied data without checking buffer space.
In simple words, this bug can allow attackers to read beyond the memory they should access. Qualcomm said the flaw was reported by Google’s Android Security team on December 18, 2025 and customers were notified on February 2, 2026.
129 fixes in one update
Google’s March bulletin patches 129 vulnerabilities in total. That is the highest number in a single month since April 2018, according to reporting cited in the draft above.
Here is a quick look at some of the most serious issues fixed:
| CVE ID | Component | Type | Severity |
|---|---|---|---|
| CVE-2026-0006 | System | RCE | Critical |
| CVE-2026-0047 | Framework | EoP | Critical |
| CVE-2025-48631 | System | DoS | Critical |
| CVE-2026-21385 | Qualcomm Display | Memory corruption | High |
The bulletin clearly states that the most severe issue in the System component “could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation”. That line is scary. It means an attacker may not even need you to click anything.
Two patch levels explained
Google has again used two security patch levels for March:
- 2026-03-01
- 2026-03-05
Devices on the 2026-03-05 patch level get fixes for kernel components and chipset issues from Qualcomm, MediaTek, Unisoc, Arm and others. The 2026-03-01 level covers core Android framework and system flaws.
Google explains that this split gives partners flexibility to roll out fixes faster. In reality, I have seen many phones in India wait weeks for full updates. So check your patch date. It matters.
A surge after quiet months
Earlier this year, Google fixed just one Android flaw in January and none in February, according to the reporting cited above. Now, suddenly, 129 vulnerabilities appear in March. That swing feels dramatic.
Google has said before that it focuses on the most dangerous defects first. Still, such spikes always grab attention in the security community.
What users should do
If you are on Android 10 or later, you may receive both security updates and Google Play system updates. Google Play Protect also plays a role in reducing exploitation risks by warning about harmful apps.
My advice is simple:
- Check your Android security patch level
- Install updates as soon as your device maker releases them
- Avoid sideloading apps from unknown sources
This month’s bulletin is a reminder. Even mature platforms like Android keep facing new bugs. Some get fixed quietly. Some, like CVE-2026-21385, show signs of active exploitation.
As of March 3, 2026, the patch is out. Now the real question is how fast device makers will push it to users. In cybersecurity, speed is everything.