Full Report
Google on Monday disclosed that a high-severity security flaw impacting an open-source Qualcomm component used in Android devices has been exploited in the wild. The vulnerability in question is CVE-2026-21385 (CVSS score: 7.8), a buffer over-read in the Graphics component. "Memory corruption when adding user-supplied data without checking available buffer space," Qualcomm said in an advisory,
Analysis Summary
# Vulnerability: Qualcomm Graphics Component Memory Corruption
## CVE Details
- **CVE ID:** CVE-2026-21385
- **CVSS Score:** 7.8 (High)
- **CWE:** CWE-190 (Integer Overflow) / CWE-125 (Buffer Over-read)
## Affected Systems
- **Products:** Android devices utilizing affected Qualcomm chipsets.
- **Versions:** Specific versions vary by OEM; impacts devices running Android with security patch levels prior to 2026-03-05.
- **Configurations:** Devices using the open-source Qualcomm Graphics component.
## Vulnerability Description
The vulnerability is characterized as an integer overflow that leads to a buffer over-read within the Graphics component. According to Qualcomm, memory corruption occurs when the system adds user-supplied data without properly verifying the available buffer space. This flaw allows an attacker to potentially access sensitive information or cause memory instability by providing maliciously crafted input.
## Exploitation
- **Status:** Exploited in the wild (Limited, targeted exploitation confirmed by Google).
- **Complexity:** Undisclosed (Likely Medium based on the nature of graphics component exploits).
- **Attack Vector:** Local (Typically requires a malicious application or a compromised process on the device to interact with the Graphics driver).
## Impact
- **Confidentiality:** High (Potential to read sensitive memory contents).
- **Integrity:** Medium (Memory corruption can lead to inconsistent system states).
- **Availability:** High (Can lead to system crashes or denial-of-service).
## Remediation
### Patches
- **Android Security Patch Level 2026-03-05:** Users should update their devices to this patch level or later to resolve the issue.
- **Qualcomm Advisory:** Patches have been made available to OEMs as of February 2, 2026.
### Workarounds
- No specific software workarounds are available. Users are advised to limit the installation of applications from untrusted sources to reduce the risk of local exploitation.
## Detection
- **Indicators of Compromise:** Currently, specific IoCs are not publicly available due to the "targeted" nature of the attacks.
- **Detection Methods:** Mobile Threat Defense (MTD) solutions may detect unusual memory access patterns or crashes in the graphics subsystem. Security administrators should audit device patch levels to ensure they meet the 2026-03-05 requirement.
## References
- Google Android Security Bulletin (March 2026): hxxps[://]source[.]android[.]com/docs/security/bulletin/2026/2026-03-01
- Qualcomm Security Bulletin (March 2026): hxxps[://]docs[.]qualcomm[.]com/securitybulletin/march-2026-bulletin[.]html
- Original Article: hxxps[://]thehackernews[.]com/2026/03/google-confirms-cve-2026-21385-in[.]html