Google has released its Android Security Bulletin for March with patches for 129 vulnerabilities, one of which is a zero-day flaw in a Qualcomm display component that may be under “targeted, limited exploitation.”
The latest update also fixes 10 critical severity bugs across Android components. CVE-2026-0006 is a remote code execution vulnerability in the System component that attackers could exploit with no additional privileges or user interaction. CVE-2025-48631 is a denial-of-service flaw in System, while CVE-2026-0047 is an escalation of privilege vulnerability in Framework. There are seven critical escalation of privilege flaws being patched in Kernel components.
Google is also addressing issues in Qualcomm, MediaTek, Arm, Misc OEM, Unisoc, and Imagination Technologies components, which may not affect all Android devices.
One zero-day patched
The zero-day patched with this security update is as an integer overflow or wraparound in a Qualcomm Graphics subcomponent that allows local attackers to trigger memory corruption. The vulnerability—labeled CVE-2026-21385—affects 235 Qualcomm chipsets. According to Qualcomm’s own security advisory , the vulnerability was reported on Dec. 18, 2025 through the Google Android Security team, with customers notified on Feb. 2, 2026.
Update your Android ASAP
Android users should install the latest security patch as soon as it becomes available—you should get a notification prompting you to do so. Google pushes updates for its own Pixel devices and the core Android Open Source Project (AOSP) code, while other manufacturers release patches for their respective devices around the same time. If you have a Samsung, Motorola, or Nokia, for example, you may experience a slight delay.
There are two patch levels labeled as 2026-03-01 and 2026-03-05, the latter of which fixes all issues included in the former. This month’s patches apply to AOSP versions 14, 15, 16, and 16-qpr2. You can check for available updates via Settings > Security & privacy > System & updates > Security update.
