Google disclosed one actively exploited zero-day vulnerability Monday, warning that the high-severity defect affecting an open-source Qualcomm display component for Android devices “may be under limited, targeted exploitation.”
The memory-corruption vulnerability —
CVE-2026-21385 — which Google’s
Android security team reported to Qualcomm Dec. 18, affects 234 chipsets, Qualcomm said in a
security bulletin. Qualcomm said it notified customers of the vulnerability Feb. 2.
Qualcomm declined to say when the earliest known instance of exploitation occurred, how many victims have been directly impacted, and what occurred during the 10-week period between the reporting and public disclosure of the vulnerability.
“We commend the researchers from Google’s Threat Analysis Group for using coordinated disclosure practices,” a Qualcomm spokesperson told CyberScoop. “Fixes were made available to our customers in January 2026. We encourage end users to apply security updates as they become available from device makers.”
A Google spokesperson said Qualcomm marked the vulnerability as exploited. “We don’t have any info or access to the exploit reports,” the spokesperson added.
Google addressed 129 defects in its
monthly security update for Android devices, reflecting a surge in vulnerability disclosures from the vendor. The company’s latest security update contains the highest number of Android vulnerabilities patched in a single month since April 2018.
cyberscoop.com
