"Memory corruption when adding user-supplied data without checking available buffer space. The chipmaker said the flaw was reported to it through Google's Android Security team on December 18, 2025. Customers were notified of the security defect on February 2, 2026."
"Google acknowledged in its monthly Android security bulletin that there are indications that CVE-2026-21385 may be under limited, targeted exploitation. Google's March 2026 update contains patches for a total of 129 vulnerabilities, including a critical flaw in the System component that could lead to remote code execution without requiring any additional privileges or user interaction."
"Also patched by Google are multiple critical-rated bugs: a privilege escalation bug in Framework, a denial-of-service in System, and seven privilege escalation flaws in Kernel components. The Android security bulletin includes two patch levels to give Android partners the flexibility to address common vulnerabilities on different devices more quickly."
Google revealed a high-severity buffer over-read vulnerability (CVE-2026-21385, CVSS 7.8) in a Qualcomm Graphics component used in Android devices that is currently under limited, targeted exploitation. The flaw involves memory corruption from integer overflow when processing user-supplied data without buffer space validation. Qualcomm was notified December 18, 2025, with customer notification on February 2, 2026. Google's March 2026 security update patches 129 vulnerabilities total, including critical flaws: a System component remote code execution bug (CVE-2026-0006), Framework privilege escalation (CVE-2026-0047), System denial-of-service (CVE-2025-48631), and seven Kernel privilege escalation bugs. Two patch levels (2026-03-01 and 2026-03-05) provide flexibility for Android partners addressing vulnerabilities across different devices.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]