Overview
- CISA added CVE-2026-21385 to its Known Exploited Vulnerabilities catalog and directed federal agencies to patch by March 24.
- Google’s March 2026 bulletin fixes 129 vulnerabilities across the 2026-03-01 and 2026-03-05 patch levels, with the zero‑day addressed in the latter.
- The exploited flaw is an integer overflow–triggered memory corruption in an open‑source Qualcomm graphics/display component affecting over 230 chipsets.
- Google reported the bug to Qualcomm on December 18, 2025, and Qualcomm notified OEMs on February 2 before public release this week.
- Other high‑impact issues include a System remote code execution bug (CVE-2026-0006) and multiple critical kernel, pKVM, and hypervisor flaws, underscoring urgency as non‑Pixel devices await OEM rollouts and AOSP source is set to publish by Wednesday.