A recent vulnerability in Qualcomm's software has been exploited in targeted attacks against certain Android devices. This was highlighted in Google's monthly Android security bulletin released on March 2, which included information about various vulnerabilities impacting Android systems. Among the over 100 Common Vulnerabilities and Exposures (CVEs) listed, two are particularly noteworthy.
The first, CVE-2026-21385, is a high-severity vulnerability within Qualcomm's graphics kernel that affects a broad range of chipsets. Although specific details are scarce, it is categorized as an integer overflow issue that requires local access for exploitation. Qualcomm describes the flaw as "Memory corruption while using alignments for memory allocation," assigning it a CVSS score of 7.8. This vulnerability was included in the Cybersecurity and Infrastructure Security Agency's (CISA) Known Exploited Vulnerabilities (KEV) catalog on Monday.
Possible Spyware Attack?
This vulnerability is particularly concerning because Google indicated in the Android bulletin that there are signs of limited, targeted exploitation of CVE-2026-21385. The exact meaning of "limited and targeted exploitation" remains unclear, and inquiries to both Google and Qualcomm have been made for more information.
Adam Boynton, a senior security strategy manager at endpoint security vendor Jamf, suggests that while speculation should be approached cautiously, the language used by Google typically points to activity that is too focused to be considered opportunistic, possibly indicating involvement from a nation-state actor or a commercial surveillance vendor.
Boynton noted that a previous Qualcomm zero-day vulnerability, CVE-2024-43047, was described with similar language and was later linked to commercial spyware tools. While this does not confirm the same circumstances for CVE-2026-21385, it raises questions about the nature of the threat.
The second significant vulnerability this month is CVE-2026-0047, which is a critical local privilege escalation flaw in Android's System component. This flaw could allow remote code execution without requiring any additional execution privileges or user interaction, stemming from a missing permission check in the ActivityManagerService.java file.
Google cautioned that the severity assessment is based on the potential impact of exploiting the vulnerability, assuming that platform and service mitigations are either disabled for development or successfully bypassed.
Boynton explained that since an attacker must already have access to a device to exploit this vulnerability, it creates a substantial barrier to exploitation. Typically, such vulnerabilities would be used as part of a more complex, chained attack rather than independently.
He elaborated that initial access could be gained through methods like phishing, malicious applications, or other vulnerabilities like CVE-2026-0006. Subsequently, an attacker could leverage the escalation to deepen their access and maintain persistence. Boynton stated that the real issue is not whether this vulnerability will be exploited, but rather if it will be detected when it occurs, as these chained techniques often surface only during post-incident investigations, long after damage has been inflicted.
The Complexities of Patching Android Flaws
Patches for CVE-2026-21385 are currently available, and Qualcomm has informed relevant original equipment manufacturers (OEMs) to deploy these patches on affected devices as swiftly as possible. Additionally, patches for CVE-2026-0047 can be accessed through the Android Open Source Project (AOSP).
However, the complexity of addressing Android vulnerabilities, particularly those related to Qualcomm, is significant. Boynton pointed out that consumers depend on manufacturers, which may not be Google or Qualcomm, to implement patches on impacted devices, even if those patches are made available at the time of disclosure. This delay poses a risk, especially as vulnerabilities are increasingly being exploited at a rapid pace.
Accordingly, Qualcomm has urged customers to reach out to their device manufacturers for updates regarding the patching status of released devices.
