Android March 2026 Patch: 129 Flaws Fixed, Qualcomm Zero-Day Exploited

Google just dropped its largest Android security update since April 2018 — 129 vulnerabilities patched in a single month, including an actively exploited Qualcomm zero-day. If you manage Android devices in an enterprise environment, this is a priority patch cycle that demands immediate attention. What Happened The March 2026 Android Security Bulletin addresses 129 CVEs across two patch levels (2026-03-01 and 2026-03-05). The headline finding is CVE-2026-21385 , a memory-corruption vulnerability in Qualcomm's open-source display driver component that Google confirms is "under limited, targeted exploitation" in the wild. The timeline tells its own story about coordinated disclosure: Dec 18, 2025 — Google reports flaw to Qualcomm Feb 2, 2026 — Qualcomm notifies OEM customers Mar 2, 2026 — Public disclosure and patches released Technical Breakdown CVE-2026-21385 — The Actively Exploited Zero-Day This memory-corruption bug lives in Qualcomm's open-source display driver and affects a stagger