Critical Android Update—Google And CISA Confirm 0-Day Device Attacks - forbes.com

InnovationCybersecurity Critical Android Update—Google And CISA Confirm 0-Day Device Attacks ByDavey Winder, Senior Contributor. Forbes contributors publish independent expert analyses and insights. Davey Winder is a veteran cybersecurity writer, hacker and analyst. Follow Author Mar 04, 2026, 08:48am EST 0 Update Android now as attacks confirmed. SOPA Images/LightRocket via Getty Images Updated March 4 with confirmation that America’s Cyber Defense Agency, the CISA, has added the CVE-2026-21385 to its known exploited vulnerabilities catalog and mandated federal agencies to patch the Qualcomm “multiple chipsets memory corruption” zero-day before MArch 24. The zero-day that Google has included in the March Android security bulletin, and cybersecurity experts have warned could enable an attacker to bypass security controls and assume device control. Google’s latest security update for smartphone users has just dropped, and the March Android security bulletin sounds one very clear message: this update is critical. Among the 129 vulnerabilities patched by the update, one stands out as it’s a dangerous zero-day. “There are indications that CVE-2026-21385 may be under limited, targeted exploitation,” Google has confirmed. And, in the case of this particular exploit, that could mean an attacker bypassing security controls and taking control of your device, according to cybersecurity experts. ForbesLastPass Issues New Account Password Warning—Attacks Are UnderwayBy Davey Winder You shouldn’t really need reminding that updating Android every month when the latest security patch rollout is released, if your smartphone still supports them, is a no-brainer. Which is why most devices do this automatically. It is, however, worth ensuring that yours is updated as soon as possible, especially this month, because there’s a patch in there for a vulnerability that is already being exploited in the wild. It has been quite the few days for users of the Google ecosystem, which is a huge swathe of the global population, truth be told. What with Chrome browser users being warned that a Google Lens search tool had gone rogue and was actually stealing credentials, as well as news that hackers were abusing a critical Google security check feature to target Gmail and other users. Now the last part of this threat triumvirate has dropped into place as the newly published Android Security Bulletin for March 2026 has confirmed no less than 129 vulnerabilities impacting Android users. One of these, with a Common Vulnerabilities and Exposures designation of CVE-2026-21385, is a zero-day that is known to already be under attack from threat actors. MORE FOR YOU The vulnerability, a Qualcomm zero-day, is an integer overflow in the Graphics subcomponent, which means, Adam Boynton, senior enterprise strategy manager at Jamf, told me, “an attacker could cause severe memory corruption, allowing them to bypass security controls and gain unauthorised control over the system.” ForbesSamsung Issues 8 Critical Security Fixes—Is Your Galaxy On The List?By Davey Winder America's Cyber Defense Agency, more formally known as the Cybersecurity and Infrastructure Security Agency, tasked with being the national coordinator for critical infrastructure security and resilience, has now added CVE-2026-21385 to the Known Exploited Vulnerabilities catalog. This is important for two reasons: firstly, it is a vital confirmation of the exploited nature of the vulnerability itself, and secondly, it means that certain federal agencies are mandated under law to apply mitigations within a set timeframe. In the case of CVE-2026-21385, Binding Operational Directive 22-01 requires patching or discontinuing use by March 24. “Although BOD 22-01 only applies to Federal Civilian Executive Branch agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of KEV Catalog vulnerabilities as part of their vulnerability management practice,” CISA stated. You can find a full list of the Qualcomm chipsets affected by this zero-day vulnerability here. ForbesCopilot AI ‘Microslop’ Chat Ban Is Not Censorship—Says MicrosoftBy Davey Winder As if you needed further confirmation to understand this, and the CISA update directive is certainly that, here’s the thing: this is not a drill. This is the real world and despite the exploit surface being limited and targeted, according to Google, and with no further explanation of what that actually means, automatic updates are not always immediate. “While Google patches these vulnerabilities,” Boynton warned, “OEMs and carriers control when it reaches the device in someone’s pocket.” And that, as every Android owner will tell you, can be a very hard thing to predict. It’s even worse for enterprises where updates can, by necessity, regarding rolling out to live environments, which can impact business operations, stretching from days to weeks. “During that window, the vulnerability is public, and the device is exposed,” Boynton said. “Mobile is no longer a secondary attack surface, and organisations that treat it as such, by delaying updates, will be the ones that end up in incident reports.” All Google Android users are advised, therefore, to ensure that this update has been applied as soon as possible. I have approached Google for a statement. Editorial StandardsReprints & Permissions Find Davey Winder on LinkedIn and X. Visit Davey's website. Browse additional work. Follow Author