TechTarget and Informa Tech’s Digital Business Combine. Dark Reading Resource Library Black Hat News Omdia Cybersecurity Advertise NEWSLETTER SIGN-UP Cybersecurity Topics World The Edge DR Technology Events Resources THREAT INTELLIGENCE MOBILE SECURITY APPLICATION SECURITY CYBERATTACKS & DATA BREACHES NEWS Qualcomm Zero-Day Exploited in Targeted Android Attacks The exploitation activity against CVE-2026-21385, a high-severity memory corruption flaw, could be tied to commercial spyware or nation-state threat groups. Alexander Culafi,Senior News Writer, Dark Reading March 3, 2026 3 Min Read SOURCE: KRISTOFFER TRIPPLAAR VIA ALAMY STOCK PHOTO A new Qualcomm bug has been exploited in limited and targeted attacks against vulnerable Android devices. Google published its monthly Android security bulletin on March 2 with, as per usual, a number of vulnerabilities affecting Android devices. Among the more than 100 CVEs listed, two in particular stand out. One is CVE-2026-21385, a high severity vulnerability in Qualcomm's graphics kernel, which affects a wide range of chipsets. Though few details are available, it's an integer overflow issue that requires local access to exploit. In its own bulletin, Qualcomm describes it as "Memory corruption while using alignments for memory allocation." The flaw, which received a CVSS score of 7.8, was added to the Cybersecurity and Infrastructure Security Agency's (CISA) Known Exploited Vulnerabilities (KEV) catalog on Monday. Possible Spyware Attack? The reason CVE-2026-21385 stands out is that Google said in the Android bulletin, "There are indications that CVE-2026-21385 may be under limited, targeted exploitation." It is unclear what "limited and targeted exploitation" means, and Dark Reading contacted both Google and Qualcomm for additional information. Related:As War Continues, Pro-Iranian Actors Launch Barrage of Cyberattacks However, Adam Boynton, senior security strategy manager at endpoint security vendor Jamf, says that while one should be careful about speculating, this "is the specific language Google uses when activity is too narrow to be criminal infrastructure but too deliberate to be opportunistic." As in, possibly a nation-state actor or commercial surveillance vendor. "CVE-2024-43047 — another Qualcomm zero-day — used the same language when it was disclosed, and it was later tied to commercial spyware tooling via Amnesty International's Security Lab," Boynton says. "That's not confirmation of the same here, but the profile is consistent. We don't know who is behind this. But the way Google and Qualcomm are describing it tells you something about what they think they're looking at." The other vulnerability of note this month is CVE-2026-0047, a critical local privilege escalation flaw in Android's System component "that could lead to remote code execution with no additional execution privileges needed," the bulletin read. No user interaction is needed, either. It's caused by a missing permission check in dumpBitmapsProto of ActivityManagerService.java. "The severity assessment is based on the effect that exploiting the vulnerability would possibly have on an affected device, assuming the platform and service mitigations are turned off for development purposes or if successfully bypassed," Google warned. Related:30 Alleged Members of 'The Com' Arrested in Project Compass Boynton says the fact that an attacker already needs to be on a device to use it offers a meaningful barrier to attack, hence why it likely hasn't been exploited in the wild just yet. It would be used as part of a chained attack rather than a standalone one. "Someone gets initial access through a phishing link, a malicious app, or an RCE like CVE-2026-0006, and then uses the escalation to go deeper and persist," he says. "The question isn't really whether it will be exploited. It's whether it will be visible when it is. These chained techniques are harder to attribute and often only surface in post-incident forensics, long after the damage is done." The Complexities of Patching Android Flaws Patches for CVE-2026-21385 are currently available, and Qualcomm says they're being shared with relevant OEMs, "who have been notified and strongly recommended to deploy those patches on released devices as soon as possible." Patches are also available for CVE-2026-0047 via the Android Open Source Project (AOSP). One issue to consider is that Android flaws, particularly like the Qualcomm one, are beholden to OEMs at the consumer level. This, as Boynton points out, means that consumers are reliant on manufacturers (that aren't necessarily Google or Qualcomm) to fix an impacted device with a patch, even if the patch was released at disclosure. That lag matters when vulnerabilities are being exploited faster than ever. Related:RAMP Forum Seizure Fractures Ransomware Ecosystem As a result, Qualcomm, in its bulletin, urged customers to "Please contact the device manufacturer for information on the patching status of released devices." About the Author Alexander Culafi Senior News Writer, Dark Reading Alex is an award-winning writer, journalist, and podcast host based in Boston. After cutting his teeth writing for independent gaming publications as a teenager, he graduated from Emerson College in 2016 with a Bachelor of Science in journalism. He has previously been published on VentureFizz, Search Security, Nintendo World Report, and elsewhere. In his spare time, Alex hosts the weekly Nintendo podcast Talk Nintendo Podcast and works on personal writing projects, including two previously self-published science fiction novels. More Insights Industry Reports ThreatLabz 2025 Ransomware Report The Total Economic Impact™ Of Zscaler Private Access (ZPA) Zscaler ThreatLabz 2025 VPN Risk Report GigaOm Radar for CNAPP The Total Economic Impact™ of Google SecOps Access More Research Webinars Building a Robust SOC in a Post-AI World Retail Security: Protecting Customer Data and Payment Systems Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need Securing Remote and Hybrid Work Forecast: Beyond the VPN AI-Powered Threat Detection: Beyond Traditional Security Models More Webinars You May Also Like THREAT INTELLIGENCE Iran Exploits Cyber Domain to Aid Kinetic Strikes by Robert Lemos, Contributing Writer NOV 26, 2025 CYBERATTACKS & DATA BREACHES DeepSeek Breach Opens Floodgates to Dark Web by Emma Zaballos APR 22, 2025 THREAT INTELLIGENCE Trump Targets Krebs, Revokes SentinelOne Security Clearance by Kristina Beek, Associate Editor, Dark Reading APR 10, 2025 THREAT INTELLIGENCE Cybercrime's Cobalt Strike Use Plummets 80% Worldwide by Nate Nelson, Contributing Writer MAR 07, 2025 Editor's Choice VULNERABILITIES & THREATS Cisco SD-WAN Zero-Day Under Exploitation for 3 Years byRob Wright FEB 26, 2026 4 MIN READ ICS/OT SECURITY 'Richter Scale' Model Measures Magnitude of OT Cyber Incidents byKelly Jackson Higgins FEB 25, 2026 6 MIN READ THREAT INTELLIGENCE Enigma Cipher Device Still Holds Secrets for Cyber Pros byBecky Bracken FEB 23, 2026 3 MIN READ 2026 Security Trends & Outlooks THREAT INTELLIGENCE Cybersecurity Predictions for 2026: Navigating the Future of Digital Threats JAN 2, 2026 CYBER RISK Navigating Privacy and Cybersecurity Laws in 2026 Will Prove Difficult JAN 12, 2026 ENDPOINT SECURITY CISOs Face a Tighter Insurance Market in 2026 JAN 5, 2026 THREAT INTELLIGENCE 2026: The Year Agentic AI Becomes the Attack-Surface Poster Child JAN 30, 2026 Download the Collection Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars Building a Robust SOC in a Post-AI World THURS, MARCH 19, 2026 AT 1PM EST Retail Security: Protecting Customer Data and Payment Systems THURS, APRIL 2, 2026 AT 1PM EST Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need WED, APRIL 1, 2026 AT 1PM EST Securing Remote and Hybrid Work Forecast: Beyond the VPN TUES, MARCH 10, 2026 AT 1PM EST AI-Powered Threat Detection: Beyond Traditional Security Models WED, MARCH 25, 2026 AT 1PM EST More Webinars White Papers Industry Report: AI, SOC, and Modernizing Cybersecurity The Threat Prevention Buyer's Guide: Find the best AI-driven threat protection solution to stop file-based attacks. Assessing Security Architectures: Zero Trust vs. Network-Centric Models 5 Steps to Stop Ransomware With Zero Trust 10 Ways a Zero Trust Architecture Protects Against Ransomware Explore More White Papers GISEC GLOBAL 2026 GISEC GLOBAL is the most influential and the largest cybersecurity gathering in the Middle East & Africa, uniting global CISOs, government leaders, technology buyers, and ethical hackers for three power-packed days of innovation, strategy, and live cyber drills. 📌 BOOK YOUR SPACE Discover More Black Hat Omdia Working With Us About Us Advertise Reprints Join Us NEWSLETTER SIGN-UP Follow Us Copyright © 2026 TechTarget, Inc. d/b/a Informa TechTarget. This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world’s technology buyers and sellers. All copyright resides with them. Informa PLC’s registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.’s registered office is 275 Grove St. Newton, MA 02466. Home| Cookie Policy| Privacy| Terms of Use