INSPECTING ARCHIVED INTELLIGENCE (OUTDATED VERSION).
Qualcomm Zero-Day Exploited in Targeted Android Attacks
| 2026-03-03 20:28 CRITICAL HIGHExecutive Summary AI-generated
The recent Android security bulletin, released on March 2, highlights several critical vulnerabilities that could lead to remote code execution with no additional privileges needed. These flaws are part of a larger set of exploits targeting Qualcomm's graphics kernel and other components, including CVE-2026-0047 and CVE-2026-21385. The vulnerabilities have been identified by researchers as being under limited, targeted exploitation, suggesting that nation-state actors or commercial surveillance vendors may be involved in the attacks. As a result, manufacturers are urged to patch these flaws on released devices immediately, with patches available for both CVE-2026-0047 and CVE-2026-21385 through the Android Open Source Project (AOSP). The fact that these vulnerabilities have been identified by researchers suggests that they may be more widespread than initially thought.
Technical Mitigations AI-generated
* Patch Qualcomm zero-day CVE-2026-21385: Patches for this vulnerability can be downloaded from the Android Open Source Project (AOSP) and deployed on released devices as soon as possible.
* Use of dumpBitmapsProto with missing permission check: The System component's ActivityManagerService.java has a missing permission check in dumpBitmapsProto, which could lead to remote code execution. Users should use chained attacks like phishing links or malicious apps to exploit this vulnerability before patches are available.
* Limitations and complexities of patching Android flaws: Patches for CVE-2026-21385 are currently being shared with OEMs, but consumers rely on manufacturers (not Google or Qualcomm). This means that users may not have access to the latest security updates until they receive them from their manufacturer.
* Use of System component's dumpBitmapsProto vulnerability: The same vulnerability is also present in CVE-2026-0047, a critical local privilege escalation flaw. Users should be cautious when using this vulnerability as it could lead to remote code execution with no additional privileges needed.
* Remote Code Execution (RCE) prevention: Patches for these vulnerabilities can help prevent RCE attacks by patching the underlying system components that are vulnerable to exploitation. However, users may still need to take extra precautions like using chained attacks or being cautious when installing apps and services.
Technical Observables
Intelligence Metadata
Actors / Malware / CVEs / Campaigns
CVE-2024-43047CVE-2024-43047
CVE-2025-48633CVE-2025-48633
CVE-2026-0006CVE-2026-0006
CVE-2026-0047CVE-2026-0047
CVE-2025-48572CVE-2025-48572
CVE-2026-21385CVE-2026-21385
Target & Sectors
Global Scope
Incident Timeline
April 2018
Threat actors exploited a previously unknown vulnerability in Qualcomm's latest Android security update.
Click on any entity below to view its context and source!
infrastructure
Android
The company’s latest security update contains the highest number of Android vulnerabilities patched in a single month since April 2018.
2025-03-02
Threat actors exploited a recently discovered zero-day vulnerability in Qualcomm's Android software.
March 2025
Qualcomm's Android Security Bulletin for March 2025 identified CVE-2026-21385 as a potential zero-day vulnerability.
Click on any entity below to view its context and source!
infrastructure
Android
"There are indications that CVE-2026-21385 may be under limited, targeted exploitation,"
the company said
on Monday in its March 2025 Android Security Bulletin.
vulnerability
CVE-2026-21385
"There are indications that CVE-2026-21385 may be under limited, targeted exploitation,"
the company said
on Monday in its March 2025 Android Security Bulletin.
January 2026
Threat actors exploited a previously unknown vulnerability in Qualcomm's Android software to target affected devices.
February 2
Threat actors exploited a previously unknown zero-day vulnerability in Qualcomm's Android software on February 2.
Feb. 2
Threat actors exploited a previously unknown zero-day vulnerability in Qualcomm's Android operating system.
February 3
Threat actors used an integer overflow vulnerability in Qualcomm's Graphics subcomponent to target the affected Android devices.
2026-03-01
Google issued two sets of patches: the 2026-03-01 and 2026-03-05 security patch levels for Android.
Click on any entity below to view its context and source!
infrastructure
Android
The Android security bulletin for March includes two patch levels — 2026-03-01 and 2026-03-05 — allowing Android partners to address common vulnerabilities on different devices.
March 2
Google published its monthly Android security bulletin on March 2, detailing vulnerabilities affecting devices.
Click on any entity below to view its context and source!
infrastructure
Android
Google published its monthly Android security bulletin on March 2 with, as per usual, a number of vulnerabilities affecting Android devices.
organisation
Google
Google published its monthly Android security bulletin on March 2 with, as per usual, a number of vulnerabilities affecting Android devices.
2026-03-03
Qualcomm exploited a zero-day vulnerability in its graphics kernel, CVE-2026-21385.
Click on any entity below to view its context and source!
vulnerability
CVE-2026-21385
Google and Qualcomm spokespersons were not immediately available for comment when contacted by BleepingComputer earlier today regarding the CVE-2026-21385 attacks and their targets.
organisation
BleepingComputer
Google and Qualcomm spokespersons were not immediately available for comment when contacted by BleepingComputer earlier today regarding the CVE-2026-21385 attacks and their targets.
organisation
CVE-2026-0047
"
The other vulnerability of note this month is CVE-2026-0047, a critical local privilege escalation flaw in Android's System component "that could lead to remote code execution with no additional execution privileges needed," the bulletin read.
infrastructure
Android
"
The other vulnerability of note this month is CVE-2026-0047, a critical local privilege escalation flaw in Android's System component "that could lead to remote code execution with no additional execution privileges needed," the bulletin read.
Patches are also available for CVE-2026-0047 via the Android Open Source Project (AOSP).
Qualcomm Zero-Day Exploited in Targeted Android Attacks.
A new Qualcomm bug has been exploited in limited and targeted attacks against vulnerable Android devices.
The reason CVE-2026-21385 stands out is that Google said
in the Android bulletin
, "There are indications that CVE-2026-21385 may be under limited, targeted exploitation."
"
The Complexities of Patching Android Flaws
Patches for CVE-2026-21385 are currently available, and Qualcomm says they're being shared with relevant OEMs, "who have been notified and strongly recommended to deploy those patches on released devices as soon as possible."
One issue to consider is that Android flaws, particularly like the Qualcomm one, are
beholden to OEMs
at the consumer level.
Android gets patches for Qualcomm zero-day exploited in attacks.
Google has released security updates to patch 129 Android security vulnerabilities, including an actively exploited zero-day flaw in a Qualcomm display component.
With this month's Android security updates, Google fixed 10 critical security vulnerabilities in the System, Framework, and Kernel components that attackers exploit to gain remote code execution, elevate privileges, or trigger denial-of-service conditions.
The latter bundles all fixes from the first batch, as well as patches for closed-source third-party and kernel subcomponents, which may not apply to all Android devices.
Google addresses actively exploited Qualcomm zero-day in fresh batch of 129 Android vulnerabilities.
Google disclosed one actively exploited zero-day vulnerability Monday, warning that the high-severity defect affecting an open-source Qualcomm display component for Android devices “may be under limited, targeted exploitation.”
Google addressed 129 defects in its
monthly security update
for Android devices, reflecting a surge in vulnerability disclosures from the vendor.
Google’s public vulnerability disclosure and reporting program for Android has been uneven.
So far this year, Google addressed one Android vulnerability in January and none in February.
“Android stops most vulnerability exploitation at the source with extensive platform hardening, like our use of the memory-safe language Rust and advanced anti-exploitation protections,” a Google spokesperson said in December.
“Android and Pixel continuously address known security vulnerabilities and prioritize fixing and patching the highest-risk ones first.”
Android device manufacturers release security patches on their own schedule after they’ve customized operating system updates for their specific hardware.
Google said source code for all vulnerabilities addressed in this month’s Android security bulletin will be released to the Android Open Source Project repository by Wednesday.
organisation
Google
Google has released security updates to patch 129 Android security vulnerabilities, including an actively exploited zero-day flaw in a Qualcomm display component.
Google addresses actively exploited Qualcomm zero-day in fresh batch of 129 Android vulnerabilities.
organisation
Framework
With this month's Android security updates, Google fixed 10 critical security vulnerabilities in the System, Framework, and Kernel components that attackers exploit to gain remote code execution, elevate privileges, or trigger denial-of-service conditions.
organisation
Kernel
With this month's Android security updates, Google fixed 10 critical security vulnerabilities in the System, Framework, and Kernel components that attackers exploit to gain remote code execution, elevate privileges, or trigger denial-of-service conditions.
organisation
CVE-2026
"Someone gets initial access through a phishing link, a malicious app, or an RCE like CVE-2026-0006, and then uses the escalation to go deeper and persist," he says.
infrastructure
235 Qualcomm chipsets
According to its February advisory, which has yet to flag
CVE-2026-21385
as exploited in attacks, the security flaw affects 235 Qualcomm chipsets.
organisation
Amnesty International's
As in, possibly a nation-state actor or
commercial surveillance vendor
.
"
CVE-2024-43047
— another Qualcomm zero-day — used the same language when it was disclosed, and it was later tied to commercial spyware tooling via Amnesty International's Security Lab," Boynton says.
organisation
Known Exploited
Known Exploited Vulnerabilities (KEV) catalog
on Monday.
organisation
KEV
Known Exploited Vulnerabilities (KEV) catalog
on Monday.
organisation
Boynton
This, as Boynton points out, means that consumers are reliant on manufacturers (that aren't necessarily Google or Qualcomm) to fix an impacted device with a patch, even if the patch was released at disclosure.
data_breach
30 Alleged Members
Related:
30 Alleged Members of 'The Com' Arrested in Project Compass
Boynton says the fact that an attacker already needs to be on a device to use it offers a meaningful barrier to attack, hence why it likely hasn't been exploited in the wild just yet.
organisation
CVE-2025-48633
Google released patches for
two other high-severity zero-day vulnerabilities
(CVE-2025-48633 and CVE-2025-48572) in December, both of which were also tagged as "under limited, targeted exploitation.
organisation
CVE-2025-48572
Google released patches for
two other high-severity zero-day vulnerabilities
(CVE-2025-48633 and CVE-2025-48572) in December, both of which were also tagged as "under limited, targeted exploitation.
organisation
Google Pixel
While Google Pixel devices receive security updates immediately, other vendors often take longer to test and tweak them for specific hardware configurations.
organisation
The Red Report 2026
The Red Report 2026 reveals how new threats use math to detect sandboxes and hide in plain sight.
organisation
Google’s Threat Analysis Group
“We commend the researchers from Google’s Threat Analysis Group for using coordinated disclosure practices,” a Qualcomm spokesperson told CyberScoop.
organisation
CyberScoop
“We commend the researchers from Google’s Threat Analysis Group for using coordinated disclosure practices,” a Qualcomm spokesperson told CyberScoop.
organisation
CVE
Nearly half of those vulnerabilities have CVE identifiers from 2025.
organisation
Imagination Technologies
The second patch addresses 66 vulnerabilities, including 15 vulnerabilities affecting the kernel, one Arm component defect, seven Imagination Technologies flaws and seven vulnerabilities in Unisoc components.
2026-03-05
Google issued two sets of patches: the 2026-03-01 and 2026-03-05 security patch levels for Android.
Click on any entity below to view its context and source!
infrastructure
Android
The Android security bulletin for March includes two patch levels — 2026-03-01 and 2026-03-05 — allowing Android partners to address common vulnerabilities on different devices.
December 18
Threat actors exploited a previously unknown zero-day vulnerability in Qualcomm's Android software on December 18.
Dec. 18
Threat actors exploited the Qualcomm Zero-Day Exploited in targeted Android attacks.
Click on any entity below to view its context and source!
infrastructure
Android
The memory-corruption vulnerability —
CVE-2026-21385
— which Google’s
Android
security team reported to Qualcomm Dec. 18, affects 234 chipsets, Qualcomm said in a
security bulletin
.
vulnerability
CVE-2026-21385
The memory-corruption vulnerability —
CVE-2026-21385
— which Google’s
Android
security team reported to Qualcomm Dec. 18, affects 234 chipsets, Qualcomm said in a
security bulletin
.
organisation
Qualcomm
The memory-corruption vulnerability —
CVE-2026-21385
— which Google’s
Android
security team reported to Qualcomm Dec. 18, affects 234 chipsets, Qualcomm said in a
security bulletin
.
infrastructure
234 chipsets
The memory-corruption vulnerability —
CVE-2026-21385
— which Google’s
Android
security team reported to Qualcomm Dec. 18, affects 234 chipsets, Qualcomm said in a
security bulletin
.
Tactical Metrics
Metrics
infrastructure
Android
Affected Product
Click for context!
"
The other vulnerability of note this month is CVE-2026-0047, a critical local privilege escalation flaw in Android's System component "that could lead to remote code execution with no additional execution privileges needed," the bulletin read.
Qualcomm Zero-Day Exploited in Targeted Android Attacks.
A new Qualcomm bug has been exploited in limited and targeted attacks against vulnerable Android devices.
Google published its monthly Android security bulletin on March 2 with, as per usual, a number of vulnerabilities affecting Android devices.
The reason CVE-2026-21385 stands out is that Google said
in the Android bulletin
, "There are indications that CVE-2026-21385 may be under limited, targeted exploitation."
"
The Complexities of Patching Android Flaws
Patches for CVE-2026-21385 are currently available, and Qualcomm says they're being shared with relevant OEMs, "who have been notified and strongly recommended to deploy those patches on released devices as soon as possible."
Patches are also available for CVE-2026-0047 via the Android Open Source Project (AOSP).
One issue to consider is that Android flaws, particularly like the Qualcomm one, are
beholden to OEMs
at the consumer level.
Android gets patches for Qualcomm zero-day exploited in attacks.
Google has released security updates to patch 129 Android security vulnerabilities, including an actively exploited zero-day flaw in a Qualcomm display component.
"There are indications that CVE-2026-21385 may be under limited, targeted exploitation,"
the company said
on Monday in its March 2025 Android Security Bulletin.
With this month's Android security updates, Google fixed 10 critical security vulnerabilities in the System, Framework, and Kernel components that attackers exploit to gain remote code execution, elevate privileges, or trigger denial-of-service conditions.
The latter bundles all fixes from the first batch, as well as patches for closed-source third-party and kernel subcomponents, which may not apply to all Android devices.
Google addresses actively exploited Qualcomm zero-day in fresh batch of 129 Android vulnerabilities.
Google disclosed one actively exploited zero-day vulnerability Monday, warning that the high-severity defect affecting an open-source Qualcomm display component for Android devices “may be under limited, targeted exploitation.”
The memory-corruption vulnerability —
CVE-2026-21385
— which Google’s
Android
security team reported to Qualcomm Dec. 18, affects 234 chipsets, Qualcomm said in a
security bulletin
.
Google addressed 129 defects in its
monthly security update
for Android devices, reflecting a surge in vulnerability disclosures from the vendor.
The company’s latest security update contains the highest number of Android vulnerabilities patched in a single month since April 2018.
Google’s public vulnerability disclosure and reporting program for Android has been uneven.
So far this year, Google addressed one Android vulnerability in January and none in February.
“Android stops most vulnerability exploitation at the source with extensive platform hardening, like our use of the memory-safe language Rust and advanced anti-exploitation protections,” a Google spokesperson said in December.
“Android and Pixel continuously address known security vulnerabilities and prioritize fixing and patching the highest-risk ones first.”
The Android security bulletin for March includes two patch levels — 2026-03-01 and 2026-03-05 — allowing Android partners to address common vulnerabilities on different devices.
Android device manufacturers release security patches on their own schedule after they’ve customized operating system updates for their specific hardware.
Google said source code for all vulnerabilities addressed in this month’s Android security bulletin will be released to the Android Open Source Project repository by Wednesday.
Metrics
data_breach
30
Alleged Members
Related:
30 Alleged Members of 'The Com' Arrested in Project Compass
Boynton says the fact that an attacker already needs to be on a device to use it offers a meaningful barrier to attack, hence why it likely hasn't been exploited in the wild just yet.
Metrics
infrastructure
235
Qualcomm Chipsets
According to its February advisory, which has yet to flag
CVE-2026-21385
as exploited in attacks, the security flaw affects 235 Qualcomm chipsets.
Metrics
infrastructure
234
Chipsets
The memory-corruption vulnerability —
CVE-2026-21385
— which Google’s
Android
security team reported to Qualcomm Dec. 18, affects 234 chipsets, Qualcomm said in a
security bulletin
.
Intelligence Sources
BleepingComputer
2026-03-03
Android gets patches for Qualcomm zero-day exploited in attacks
BleepingComputer
CyberScoop
2026-03-02
Dark Reading
2026-03-03
Unpublish from Social Media?
Are you sure you want to delete this podcast video from all synchronized social networks (YouTube, Facebook, Threads)?
Important:
Due to Meta API restrictions, Instagram Reels cannot be deleted automatically via API by third-party apps.
View Profile to Delete Manually
View Profile to Delete Manually
Tactical Intelligence
Report Intelligence Issue
Podcast Options
Generate
Incident Version History
CURRENT VERSION
Last Updated: 2026-04-27T07:39
Comprehensive Tactical Telemetry
Highly Correlated Entities
19x
organisation
Identified Entity
CVE-2026-0047
entity
15x
timeline
Temporal Reference
March 2
date
6x
vulnerability
Exploited CVE
CVE-2026-0047
cve
5x
general metric
Vulnerabilities
107
vulnerabilities
4x
tactic
Cyber Operation Type
Privilege Escalation
tactic
2x
attribution
Attributing Entity
CVSS
authority
2x
tactic
MITRE ATT&CK Technique
T1588.006 - Vulnerabilities
technique
Contextual Telemetry
Context Block
10 METRICS
infrastructure
Affected Product
Android
software
vulnerability
CVSS Score
8
score
data breach
Alleged Members
30
alleged members
general metric
Android Security Vulnerabilities
129
android security vulnerabilities
infrastructure
Qualcomm Chipsets
235
qualcomm chipsets
general metric
Critical Security Vulnerabilities
10
critical security vulnerabilities
general metric
Red Report
2,026
red report
general metric
Malicious Samples
1,100,000
malicious samples
infrastructure
Chipsets
234
chipsets
general metric
Defects
120
defects
Click on any entity below to view its context in the main text!
Selective Unpublish
Selecciona las redes de las que quieres eliminar esta publicación. El sistema intentará borrar el post real de la API y limpiará la base de datos para que puedas volver a lanzarlo.
By navigating this website, you accept the use of strictly necessary technical cookies for session security and basic platform functionality. We do not use tracking or advertising cookies.
Read our Privacy Policy.