Qualcomm Zero-Day Exploited in Targeted Android Attacks - Dark Reading

THREAT INTELLIGENCE MOBILE SECURITY APPLICATION SECURITY CYBERATTACKS & DATA BREACHES NEWS Qualcomm Zero-Day Exploited in Targeted Android Attacks The exploitation activity against CVE-2026-21385, a high-severity memory corruption flaw, could be tied to commercial spyware or nation-state threat groups. Alexander Culafi,Senior News Writer,Dark Reading March 3, 2026 4 Min Read SOURCE: KRISTOFFER TRIPPLAAR VIA ALAMY STOCK PHOTO A new Qualcomm bug has been exploited in limited and targeted attacks against vulnerable Android devices.  Google published its monthly Android security bulletin on March 2 with, as per usual, a number of vulnerabilities affecting Android devices. Among the more than 100 CVEs listed, two in particular stand out.  One is CVE-2026-21385, a high severity vulnerability in Qualcomm's graphics kernel, which affects a wide range of chipsets. Though few details are available, it's an integer overflow issue that requires local access to exploit. In its own bulletin, Qualcomm describes it as "Memory corruption while using alignments for memory allocation." The flaw, which received a CVSS score of 7.8, was added to the Cybersecurity and Infrastructure Security Agency's (CISA) Known Exploited Vulnerabilities (KEV) catalog on Monday. Possible Spyware Attack? The reason CVE-2026-21385 stands out is that Google said in the Android bulletin, "There are indications that CVE-2026-21385 may be under limited, targeted exploitation." It is unclear what "limited and targeted exploitation" means, and Dark Reading contacted both Google and Qualcomm for additional information. Qualcomm declined to answer the question directly, though a spokesperson shared the following statement. Related:Inside Olympic Cybersecurity: Lessons From Paris 2024 to Milan Cortina 2026 "Developing technologies that endeavor to support robust security and privacy is a priority for Qualcomm Technologies. We commend the researchers from Google’s Threat Analysis Group for using coordinated disclosure practices. Regarding their GPU-related research, fixes were made available to our customers in January 2026. We encourage end users to apply security updates as they become available from device makers," Qualcomm says. Adam Boynton, senior security strategy manager at endpoint security vendor Jamf, says that while one should be careful about speculating, this "is the specific language Google uses when activity is too narrow to be criminal infrastructure but too deliberate to be opportunistic." As in, possibly a nation-state actor or commercial surveillance vendor.  "CVE-2024-43047 — another Qualcomm zero-day — used the same language when it was disclosed, and it was later tied to commercial spyware tooling via Amnesty International's Security Lab," Boynton says. "That's not confirmation of the same here, but the profile is consistent. We don't know who is behind this. But the way Google and Qualcomm are describing it tells you something about what they think they're looking at." The other vulnerability of note this month is CVE-2026-0047, a critical local privilege escalation flaw in Android's System component "that could lead to remote code execution with no additional execution privileges needed," the bulletin read. No user interaction is needed, either. It's caused by a missing permission check in dumpBitmapsProto of ActivityManagerService.java. Related:Attackers Abuse LiveChat to Phish Credit Card, Personal Data "The severity assessment is based on the effect that exploiting the vulnerability would possibly have on an affected device, assuming the platform and service mitigations are turned off for development purposes or if successfully bypassed," Google warned. Boynton says the fact that an attacker already needs to be on a device to use it offers a meaningful barrier to attack, hence why it likely hasn't been exploited in the wild just yet. It would be used as part of a chained attack rather than a standalone one. "Someone gets initial access through a phishing link, a malicious app, or an RCE like CVE-2026-0006, and then uses the escalation to go deeper and persist," he says. "The question isn't really whether it will be exploited. It's whether it will be visible when it is. These chained techniques are harder to attribute and often only surface in post-incident forensics, long after the damage is done." Related:The Data Gap: Why Nonprofit Cyber Incidents Go Underreported The Complexities of Patching Android Flaws Patches for CVE-2026-21385 are currently available, and Qualcomm says they're being shared with relevant OEMs, "who have been notified and strongly recommended to deploy those patches on released devices as soon as possible." Patches are also available for CVE-2026-0047 via the Android Open Source Project (AOSP). One issue to consider is that Android flaws, particularly like the Qualcomm one, are beholden to OEMs at the consumer level. This, as Boynton points out, means that consumers are reliant on manufacturers (that aren't necessarily Google or Qualcomm) to fix an impacted device with a patch, even if the patch was released at disclosure. That lag matters when vulnerabilities are being exploited faster than ever. As a result, Qualcomm, in its bulletin, urged customers to "Please contact the device manufacturer for information on the patching status of released devices." About the Author Alexander Culafi Senior News Writer, Dark Reading Alex is an award-winning writer, journalist, and podcast host based in Boston. After cutting his teeth writing for independent gaming publications as a teenager, he graduated from Emerson College in 2016 with a Bachelor of Science in journalism. He has previously been published on VentureFizz, Search Security, Nintendo World Report, and elsewhere. In his spare time, Alex hosts the weekly Nintendo podcast Talk Nintendo Podcast and works on personal writing projects, including two previously self-published science fiction novels. More Insights Industry Reports Frost Radar™: Non-human Identity Solutions 2026 CISO AI Risk Report Cybersecurity Forecast 2026 The ROI of AI in Security ThreatLabz 2025 Ransomware Report Access More Research Webinars Building a Robust SOC in a Post-AI World Retail Security: Protecting Customer Data and Payment Systems Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need Securing Remote and Hybrid Work Forecast: Beyond the VPN AI-Powered Threat Detection: Beyond Traditional Security Models More Webinars You May Also Like THREAT INTELLIGENCE React2Shell Exploits Flood the Internet as Attacks Continue by Rob Wright DEC 12, 2025 THREAT INTELLIGENCE Chinese Gov't Fronts Trick the West to Obtain Cyber Tech by Nate Nelson, Contributing Writer OCT 06, 2025 CYBERATTACKS & DATA BREACHES DeepSeek Breach Opens Floodgates to Dark Web by Emma Zaballos APR 22, 2025 THREAT INTELLIGENCE Trump Targets Krebs, Revokes SentinelOne Security Clearance by Kristina Beek, Associate Editor, Dark Reading APR 10, 2025 Editor's Choice CYBERSECURITY OPERATIONS Why Stryker's Outage Is a Disaster Recovery Wake-Up Call byJai Vijayan MAR 12, 2026 5 MIN READ APPLICATION SECURITY Microsoft Patches 83 CVEs in March Update byJai Vijayan MAR 11, 2026 4 MIN READ THREAT INTELLIGENCE Commercial Spyware Opponents Fear US Policy Shifting byRob Wright MAR 12, 2026 9 MIN READ Want more Dark Reading stories in your Google search results? 2026 Security Trends & Outlooks THREAT INTELLIGENCE Cybersecurity Predictions for 2026: Navigating the Future of Digital Threats JAN 2, 2026 CYBER RISK Navigating Privacy and Cybersecurity Laws in 2026 Will Prove Difficult JAN 12, 2026 ENDPOINT SECURITY CISOs Face a Tighter Insurance Market in 2026 JAN 5, 2026 THREAT INTELLIGENCE 2026: The Year Agentic AI Becomes the Attack-Surface Poster Child JAN 30, 2026 Download the Collection Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars Building a Robust SOC in a Post-AI World THURS, MARCH 19, 2026 AT 1PM EST Retail Security: Protecting Customer Data and Payment Systems THURS, APRIL 2, 2026 AT 1PM EST Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need WED, APRIL 1, 2026 AT 1PM EST Securing Remote and Hybrid Work Forecast: Beyond the VPN TUES, MARCH 10, 2026 AT 1PM EST AI-Powered Threat Detection: Beyond Traditional Security Models WED, MARCH 25, 2026 AT 1PM EST More Webinars White Papers Autonomous Pentesting at Machine Speed, Without False Positives Fixing Organizations' Identity Security Posture Best practices for incident response planning Industry Report: AI, SOC, and Modernizing Cybersecurity The Threat Prevention Buyer's Guide: Find the best AI-driven threat protection solution to stop file-based attacks. Explore More White Papers GISEC GLOBAL 2026 GISEC GLOBAL is the most influential and the largest cybersecurity gathering in the Middle East & Africa, uniting global CISOs, government leaders, technology buyers, and ethical hackers for three power-packed days of innovation, strategy, and live cyber drills. 📌 BOOK YOUR SPACE