A recently identified Qualcomm vulnerability has been associated with limited, targeted activity against vulnerable Android devices.
Google published its monthly Android security bulletin on March 2, detailing over 100 Common Vulnerabilities and Exposures (CVEs) affecting Android systems. Among the disclosed findings, two specific vulnerabilities require priority assessment from security teams.
The first is CVE-2026-21385, a high-severity vulnerability in Qualcomm's graphics kernel that affects a wide range of chipsets. This integer overflow issue requires local access to execute. In its advisory, Qualcomm describes the flaw as "Memory corruption while using alignments for memory allocation." The vulnerability received a CVSS score of 7.8 and was added to the Cybersecurity and Infrastructure Security Agency's (CISA) Known Exploited Vulnerabilities (KEV) catalog on Monday.
Assessing targeted surveillance activity
Security teams are prioritizing CVE-2026-21385 following a specific note in Google's Android bulletin: "There are indications that CVE-2026-21385 may be under limited, targeted exploitation."
Adam Boynton, senior security strategy manager at endpoint security vendor Jamf, advises carefully evaluating this phrasing. He observes that this "is the specific language Google uses when activity is too narrow to be criminal infrastructure but too deliberate to be opportunistic." This profile often points toward a nation-state actor or commercial surveillance vendor.
"[CVE-2024-43047], another Qualcomm zero-day — used the same language when it was disclosed, and it was later tied to commercial spyware tooling via Amnesty International's Security Lab," Boynton says. "That's not confirmation of the same here, but the profile is consistent. We don't know who is behind this. But the way Google and Qualcomm are describing it tells you something about what they think they're looking at."
The second priority finding is CVE-2026-0047, a critical local privilege escalation vulnerability in Android's System component. According to the bulletin, this flaw "could lead to remote code execution with no additional execution privileges needed." It requires no user interaction and stems from a missing permission check in dumpBitmapsProto of ActivityManagerService.java.
Google based its severity assessment on the potential impact to a device, "assuming the platform and service mitigations are turned off for development purposes or if successfully bypassed."
Boynton explains that because a threat actor must already have a foothold on the device to leverage this flaw, there is a meaningful barrier to execution, which may explain why it has not been observed in broad circulation. It is most likely to be used in a sequence of actions rather than as a standalone technique.
"Someone gets initial access through a phishing link, a malicious app, or an RCE like CVE-2026-0006, and then uses the escalation to go deeper and persist," Boynton notes. "The question isn't really whether it will be exploited. It's whether it will be visible when it is. These chained techniques are harder to attribute and often only surface in post-incident forensics, long after the damage is done."
Navigating patch deployment and OEM dependencies
Patches for CVE-2026-21385 are available, and Qualcomm reports that the updates are being shared with original equipment manufacturers (OEMs). The company has "strongly recommended to deploy those patches on released devices as soon as possible." Fixes for CVE-2026-0047 are also accessible via the Android Open Source Project (AOSP).
A persistent structural factor in Android device security is the reliance on OEMs at the consumer level. Users and organizations depend on individual device manufacturers, rather than just Google or Qualcomm—to compile and distribute patches for impacted hardware. Delays in this distribution pipeline can leave devices exposed even after upstream patches are available.
To ensure proper remediation, Qualcomm urges customers to contact their device manufacturers directly for information regarding the patching status of released devices.