Android’s March 2026 security patch fixes over 100 flaws, one under targeted exploitation

The Android March 2026 security patch addresses vulnerabilities across dozens of components and includes one CVE confirmed under active exploitation. Devices running a patch level of 2026-03-05 or later receive fixes for all disclosed issues.

Android March 2026 security patch includes one CVE under active exploitation

The bulletin notes indications that CVE-2026-21385 may be under limited, targeted exploitation. The flaw resides in the Qualcomm Display component and is rated High severity. Organizations running devices with Qualcomm chipsets should treat patching of this issue as time-sensitive.

Critical vulnerabilities span RCE, kernel hypervisor, and privilege escalation

A severe issue in the bulletin is a critical vulnerability in the System component that could lead to remote code execution with no additional execution privileges needed, and without requiring user interaction. That flaw, CVE-2026-0006, affects Android 16 and is tied to the Media Codecs Mainline component, meaning it can receive an update through Google Play system updates on eligible devices.

A second critical issue in the System component, CVE-2025-48631, carries a denial-of-service classification and affects Android 14, 15, 16, and 16-QPR2.
The Framework component contains its own critical-rated issue, CVE-2026-0047, which enables local escalation of privilege. That flaw is limited to Android 16-QPR2.

Kernel-level vulnerabilities account for some of the most structurally significant entries. Several critical elevation-of-privilege flaws affect the Protected Kernel-Based Virtual Machine (pKVM) subsystem, including CVE-2026-0037, CVE-2026-0027, CVE-2026-0028, CVE-2026-0030, and CVE-2026-0031. CVE-2024-43859, rated Critical, targets the Flash-Friendly File System (F2FS). CVE-2026-0038 affects the Hypervisor. All kernel vulnerabilities fall under the 2026-03-05 patch level. The most severe of the kernel issues requires System execution privileges for exploitation, with no user interaction needed.

Framework carries the highest volume of flaws

The Framework section is the largest in the bulletin, listing more than 30 CVEs. The majority are elevation-of-privilege issues rated High. Three entries cover information disclosure, and three others cover denial-of-service conditions. Affected AOSP versions vary by flaw, with several touching Android 14 through 16-QPR2.

Several Framework vulnerabilities are tied to Mainline components and can be patched through Google Play without a full OTA update. Affected Mainline subcomponents include MediaProvider, Documents UI, and Permission Controller.

Chipset vendors contribute a large share of the total CVE count

Third-party silicon and component vendors account for a substantial portion of the bulletin’s total vulnerability count.

MediaTek disclosures include 20 CVEs spanning the KeyInstall component, the display subsystem, and multiple modem-related flaws. Qualcomm contributes six open-source CVEs in the Display and Security components, plus eight additional closed-source component entries. Imagination Technologies accounts for seven PowerVR GPU issues. Unisoc lists seven modem vulnerabilities. A single Arm Mali entry and one VBMeta issue from a miscellaneous OEM round out the hardware-vendor section.

All hardware-vendor entries in this bulletin are rated High. Severity assessments for those issues come directly from the respective vendors.

Patch delivery

Source code patches will be released to the Android Open Source Project repository. Devices on Android 10 and later may receive applicable Mainline component updates through Google Play system updates independently of carrier or OEM OTA schedules.