CISA flags exploited Qualcomm chipset bug CVE-2026-21385, Android updates now carry the fix
4 min. read 
Published on
CISA has added CVE-2026-21385 to its Known Exploited Vulnerabilities program, which means federal agencies must remediate by March 24, 2026. The flaw affects multiple Qualcomm chipsets and can cause memory corruption during aligned memory allocation, which can crash a device or enable further exploitation depending on where the bug sits in the graphics stack.
Google also signaled active exploitation in its Android security bulletin. It wrote: “There are indications that CVE-2026-21385 may be under limited, targeted exploitation.”
Public technical detail remains limited, but the timelines matter. CISA lists the vulnerability as added on March 3, 2026, with a hard due date of March 24, 2026, and NVD shows Qualcomm as the CNA with a CVSS 3.1 base score of 7.8 (High).
What we know so far
CVE-2026-21385 is tracked as a Qualcomm issue described as “Memory corruption while using alignments for memory allocation.” NVD classifies the weakness as CWE-190: Integer Overflow or Wraparound, which often means a size or alignment calculation wraps to an unexpected value and leads to unsafe memory operations.
CISA’s entry does not provide exploit telemetry, affected device models, or a public exploit chain. However, the KEV listing strongly suggests real-world exploitation, and Google’s bulletin supports that interpretation with its “limited, targeted” note.
Key details table
| Field | Value |
|---|---|
| CVE | CVE-2026-21385 |
| Vendor | Qualcomm |
| Affected scope | Multiple chipsets (varies by device and OEM build) |
| Class | Memory corruption tied to alignment in memory allocation |
| Weakness | CWE-190 (Integer Overflow or Wraparound) |
| CVSS (CNA) | 7.8 High (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) |
| CISA KEV added | March 3, 2026 |
| CISA remediation deadline | March 24, 2026 |
| Official patch path | Android March 2026 updates and OEM firmware/security updates |
What “exploited in attacks” likely means in practice
The CVSS vector shown by NVD includes local access and low privileges (PR:L). That often aligns with attacks that start with a malicious app or a foothold on the device, then pivot into a privileged component like a driver or GPU stack. The end result can range from crashes to escalation, depending on the vulnerable code path and device configuration.
Google’s language suggests targeted use, not mass exploitation. That usually points to higher-value operations such as spyware-style campaigns, but no official source has publicly attributed actors or tooling yet.
What to do now
- Push Android security updates quickly across fleets, especially for devices that rely on Qualcomm chipsets and receive regular OEM security patches.
- Enforce update compliance in MDM so users cannot defer patches indefinitely, particularly on executive and high-risk profiles.
- Reduce risky app pathways by blocking unknown sources and tightening app installation policies where your org controls devices.
- Prioritize high-exposure roles such as journalists, executives, security staff, and admins who face targeted phishing and surveillance attempts.
- Escalate if you cannot patch. CISA’s required action text includes discontinuing use if mitigations are unavailable, which is blunt but reflects the KEV posture.
Monitoring cues that often accompany memory corruption exploitation
| Monitoring area | What to look for |
|---|---|
| Stability | sudden reboots, repeated GPU or system crashes |
| Low-level services | recurring crashes tied to graphics-related processes after specific app activity |
| Post-compromise signals | suspicious apps requesting elevated capabilities, abnormal device management changes |
| Patch behavior | devices stuck on older patch levels despite policy |
These indicators do not prove exploitation, but they help you triage devices that warrant deeper inspection.
FAQ
It is a Qualcomm chipset vulnerability described as “memory corruption while using alignments for memory allocation.”
Google’s Android bulletin says there are indications of “limited, targeted exploitation,” and CISA added it to KEV with a March 24 remediation deadline.
No. Risk varies by device, chipset, and whether the vulnerable Qualcomm component exists in that model’s build.
Install the latest Android security updates available for your device. For managed fleets, rely on OEM security updates and enforce patch-level compliance via MDM.
Treat it as higher risk and plan replacement or isolation for sensitive use cases, especially if it handles privileged access, corporate email, or confidential data.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages