The March 2026 security patch for Android addresses a wide range of vulnerabilities across various components, including one CVE that is currently being exploited. Devices that are updated to a patch level of 2026-03-05 or later will receive fixes for all known issues.
Active Exploitation of CVE-2026-21385
The security bulletin highlights that CVE-2026-21385 is under targeted exploitation. This vulnerability is located in the Qualcomm Display component and is classified as having high severity. Organizations utilizing devices with Qualcomm chipsets should prioritize patching this issue promptly.
Critical Vulnerabilities Identified
One of the severe vulnerabilities detailed in the bulletin is found in the System component. This critical flaw could allow for remote code execution without requiring additional privileges or user interaction. The vulnerability, identified as CVE-2026-0006, impacts Android 16 and is associated with the Media Codecs Mainline component, indicating that it can be updated via Google Play system updates on compatible devices.
Another critical issue, CVE-2025-48631, also affects the System component and is classified as a denial-of-service vulnerability. It impacts Android versions 14, 15, 16, and 16-QPR2. Additionally, the Framework component has a critical flaw, CVE-2026-0047, which allows for local privilege escalation, but this is limited to Android 16-QPR2.
Several kernel-level vulnerabilities represent significant risks. These include multiple critical elevation-of-privilege flaws affecting the Protected Kernel-Based Virtual Machine (pKVM) subsystem, specifically CVE-2026-0037, CVE-2026-0027, CVE-2026-0028, CVE-2026-0030, and CVE-2026-0031. There is also a critical vulnerability, CVE-2024-43859, targeting the Flash-Friendly File System (F2FS), and CVE-2026-0038 affecting the Hypervisor. All these kernel vulnerabilities are included in the 2026-03-05 patch level, with the most critical requiring system execution privileges for exploitation, without any user interaction needed.
Framework Vulnerabilities Overview
The Framework section of the bulletin is the most extensive, featuring over 30 CVEs. Most of these are classified as high severity and involve elevation-of-privilege issues. There are three vulnerabilities related to information disclosure and another three concerning denial-of-service scenarios. The affected Android Open Source Project (AOSP) versions vary, with several vulnerabilities impacting Android versions 14 through 16-QPR2.
Some of the Framework vulnerabilities are linked to Mainline components and can be patched through Google Play without needing a full over-the-air (OTA) update. The affected Mainline subcomponents include MediaProvider, Documents UI, and Permission Controller.
Contribution from Chipset Vendors
A significant number of vulnerabilities in the bulletin are attributed to third-party silicon and component vendors. MediaTek has disclosed 20 CVEs affecting the KeyInstall component, the display subsystem, and various modem-related issues. Qualcomm has contributed six open-source CVEs related to the Display and Security components, along with eight additional closed-source entries. Imagination Technologies reports seven issues with PowerVR GPUs, while Unisoc lists seven vulnerabilities associated with modems. There is also one entry each from Arm Mali and a miscellaneous OEM related to VBMeta.
All hardware vendor issues listed in this bulletin are rated high severity, with assessments provided by the respective vendors.
Patch Delivery Information
Source code patches will be made available in the Android Open Source Project repository. Devices running Android 10 and later may receive relevant Mainline component updates through Google Play system updates, independent of carrier or OEM OTA schedules.
