A zero-day vulnerability in the Qualcomm chipsets used by many Android mobile devices is being actively exploited in the wild, according to Google, and system users should apply the relevant updates as soon as possible.
Tracked as CVE-2026-21385, the flaw is a memory corruption vulnerability that arises from an integer overflow or graphics wraparound condition. Left unaddressed, it enables a threat actor to bypass security controls and take over the targeted system.
It affects well over 200 chipsets in widespread use, according to Qualcomm, which said it was first reported in December 2025 by the Google Android Security Team, and it notified its own customers on 2 February 2026, with fixes rolling out as long ago as January.
In its March Security Bulletin, which additionally addresses over 100 other flaws in Android and related components thereof, Google said “there are indications that CVE-2026-21385 may be under limited, targeted exploitation”.
Google’s choice of wording suggests that CVE-2026-21385 is being used by a state-linked surveillance operation as, historically, this has been the case with a great many zero-days that ultimately endanger smartphone devices.
However, Google has made no firm statement on this point, and nor has it provided any information on the minutiae of the attacks, or their victims, to date.
In its bulletin, Google additionally flagged CVE-2026-0047, a critical elevation of privilege (EoP) flaw, and CVE-2026-0006, a remote code execution (RCE) flaw, as warranting close attention from defenders.
Adam Boynton, senior enterprise strategy manager at Jamf, a specialist in Android and iOS security, said the Qualcomm zero-day would be of particular concern to security teams because although it has been patched by Google, it is OEMs and mobile carriers who really control when the patch trickles down down and reaches the actual devices in people’s pockets.
“In enterprise environments, that gap can stretch from days to months – and during that window, the vulnerability is public and the device is exposed,” he explained.
“Mobile is no longer a secondary attack surface, and organisations that treat it as such, by delaying updates, will be the ones that end up in incident reports.”
As of Tuesday 3 March, CVE-2026-21385 has also now been added to the Cybersecurity and Infrastructure Security Agency’s (Cisa’s) Known Exploited Vulnerabilities (Kev) catalogue. This obliges all agencies of the Federal Civilian Executive Branch (FECB) in the US to apply the Android patches by 24 March, and is a further signal of the potential scope, and damage, of the vulnerability to the wider enterprise community.
Apple not neglected
Meanwhile, on 3 March, Google’s in-house Threat Intelligence Group (GTIG) released details of a powerful exploit kit targeting Apple iPhone models running versions 13.0 through 17.2.01 of iOS.
The so-called Coruna kit is said to contain a set of five comprehensive iOS exploit chains comprising 23 total exploits – the most advanced of which use exploitation techniques and mitigation bypasses that are not yet public.
GTIG said it had tracked its use by a customer of an unnamed commercial spyware supplier, in a series of watering hole attacks targeting Ukrainian users, linked to Russian intelligence, and in a broad-scale campaign conducted by a financially motivated cyber criminal operator hailing from China – tracked as UNC6353.
“How this proliferation occurred is unclear, but suggests an active market for second-hand zero-day exploits,” the GTIG team said in their write-up.
“Beyond these identified exploits, multiple threat actors have now acquired advanced exploitation techniques that can be reused and modified with newly identified vulnerabilities.”
GTIG noted that Coruna is ineffective against devices running the latest version of iOS and encouraged all users to update their devices – or enable Lockdown Mode if this is not yet possible.
