Google Android March 2026 Security Bulletin Patches 129 Vulnerabilities, One Actively Exploited Qualcomm Flaw

Google has published its March 2026 Android Security Bulletin, patching a total of 129 security vulnerabilities across the Android platform — making it one of the largest Android security updates to date. 

The most severe issue is a critical remote code execution (RCE) flaw in the System component that can be exploited without any user interaction or additional execution privileges. 

Google has confirmed that one vulnerability, a high-severity flaw in a Qualcomm Display component, is already being actively exploited in limited, targeted attacks in the wild. 

Vulnerabilities summary:

• CVE-2026-21385 (CVSS score 7.8), is an actively exploited memory corruption vulnerability in the Qualcomm Display component caused by an integer overflow that occurs when user-supplied data is added without verifying available buffer space. Qualcomm described it as memory corruption from adding user-supplied data without checking available buffer space. Google has not disclosed technical details about how the exploitation is being carried out, but organizations running devices with Qualcomm chipsets should treat patching as time-sensitive.
• CVE-2026-0006 (CVSS score 9.8) — A critical heap buffer overflow in the System component (Media Codecs) that enables remote code execution with no privileges or user interaction required. This is the most severe vulnerability in the bulletin.
• CVE-2026-0037 (CVSS score 9.0) — A critical elevation of privilege in the Protected Kernel-Based Virtual Machine (pKVM) that could allow an attacker to break virtual machine isolation.
• CVE-2026-0038 (CVSS score 9.0) — A critical elevation of privilege in the Hypervisor, potentially enabling virtual machine escape to host control.
• CVE-2026-0027 (CVSS score 9.0) — A critical elevation of privilege in pKVM enabling kernel virtualization privilege escalation.
• CVE-2026-0028 (CVSS score 9.0) — A critical elevation of privilege in pKVM allowing local attackers to escalate privileges within protected virtual machines.
• CVE-2026-0030 (CVSS score 9.0) — A critical elevation of privilege in pKVM resulting in high-impact virtualization isolation bypass.
• CVE-2026-0031 (CVSS score 9.0) — A critical elevation of privilege in pKVM enabling privilege escalation across virtual machine boundaries.
• CVE-2026-0047 (CVSS score 8.8) — A critical elevation of privilege flaw in the Android Framework that allows local privilege escalation without additional execution privileges or user interaction. Affects Android 16-QPR2.
• CVE-2024-43859 (CVSS score 8.8) — A critical elevation of privilege in the Kernel's Flash-Friendly File System (F2FS) enabling local file system privilege escalation.
• CVE-2025-48631 (CVSS score 7.5) — A critical denial-of-service vulnerability in the System component caused by resource exhaustion in LocalImageResolver.java, allowing remote attackers to trigger persistent denial of service without privileges or user interaction. Affects Android 14, 15, 16, and 16-QPR2.

Beyond the critical vulnerabilities, the bulletin resolves a large number of high-severity issues spanning multiple components. The Framework section alone contains over 30 CVEs, predominantly elevation of privilege flaws, along with information disclosure and denial-of-service issues. The 2026-03-05 patch level addresses additional vulnerabilities in Kernel components, as well as flaws reported by hardware partners including Arm (Mali GPU), Imagination Technologies (PowerVR GPU, 7 CVEs), MediaTek (20 CVEs covering display and modem components), Unisoc (7 modem CVEs), and Qualcomm (7 open-source and 8 closed-source component CVEs). Several of the critical System and Framework flaws are also addressable through Google Play system updates via Project Mainline components such as Media Codecs, MediaProvider, Permission Controller, and Documents UI.

Users are strongly advised to update their Android devices to security patch level 2026-03-05 or later if a patch is available for their device.