Overview
- Google published two patch levels—2026-03-01 for AOSP components and 2026-03-05 for kernel and vendor drivers—closing well over a hundred vulnerabilities across framework, system and chipset code.
- The bulletin flags limited in‑the‑wild exploitation of Qualcomm’s graphics/display flaw CVE-2026-21385, with Google and Qualcomm withholding specifics on impact and scope.
- Critical risks include elevation‑of‑privilege and remote‑code‑execution issues such as CVE-2026-0047 in the framework and CVE-2026-0006 in system media components, some requiring no user interaction.
- Google Play System (Mainline) updates deliver a dozen fixes this month, including mitigation for CVE-2026-0006, offering coverage for some devices that lack timely OEM patches.
- Updates are only available for supported devices; Samsung has begun a March rollout addressing 65 vulnerabilities, while the separate Pixel device bulletin had not yet been posted.