129 Android Vulnerabilities Patched This Month — Including One Being Actively Exploited: The Business Device Security Checklist

---

What Just Dropped — and Why It Matters for Your Business

Every month, Google releases security patches for Android. Most months, the updates are routine. March 2026 is not routine.​‌‌​​​​‌‍​‌‌​‌‌‌​‍​‌‌​​‌​​‍​‌‌‌​​‌​‍​‌‌​‌‌‌‌‍​‌‌​‌​​‌‍​‌‌​​‌​​‍​​‌​‌‌​‌‍​‌‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌‌​​‌​‍​‌‌​​​‌‌‍​‌‌​‌​​​‍​​‌​‌‌​‌‍​​‌‌​​‌​‍​​‌‌​​​​‍​​‌‌​​‌​‍​​‌‌​‌‌​‍​​‌​‌‌​‌‍​‌‌‌​​​​‍​‌‌​​​​‌‍​‌‌‌​‌​​‍​‌‌​​​‌‌‍​‌‌​‌​​​‍​​‌​‌‌​‌‍​​‌‌​​​‌‍​​‌‌​​‌​‍​​‌‌‌​​‌‍​​‌​‌‌​‌‍​‌‌‌​‌‌​‍​‌‌‌​‌​‌‍​‌‌​‌‌​​‍​‌‌​‌‌‌​‍​‌‌​​‌​‌‍​‌‌‌​​‌​‍​‌‌​​​​‌‍​‌‌​​​‌​‍​‌‌​‌​​‌‍​‌‌​‌‌​​‍​‌‌​‌​​‌‍​‌‌‌​‌​​‍​‌‌​‌​​‌‍​‌‌​​‌​‌‍​‌‌‌​​‌‌‍​​‌​‌‌​‌‍​‌‌​​​‌​‍​‌‌‌​‌​‌‍​‌‌‌​​‌‌‍​‌‌​‌​​‌‍​‌‌​‌‌‌​‍​‌‌​​‌​‌‍​‌‌‌​​‌‌‍​‌‌‌​​‌‌‍​​‌​‌‌​‌‍​‌‌​​‌​​‍​‌‌​​‌​‌‍​‌‌‌​‌‌​‍​‌‌​‌​​‌‍​‌‌​​​‌‌‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​‌‌​​​‌‌‍​‌‌​‌​​​‍​‌‌​​‌​‌‍​‌‌​​​‌‌‍​

‌‌​‌​‌‌‍​‌‌​‌‌​​‍​‌‌​‌​​‌‍​‌‌‌​​‌‌‍​‌‌‌​‌​​

Google's Android Security Bulletin for March 2026 includes patches for 129 separate vulnerabilities — the largest single monthly Android update in recent memory [1][2]. Among them are two that every business owner running Android devices should know about immediately.

CVE-2026-21385 (CVSS: 7.8 — High): A buffer over-read vulnerability in a Qualcomm Graphics component used across a wide range of Android devices. Google has confirmed this flaw is already under "limited, targeted exploitation" in the wild — meaning real attackers are using it right now [1][3]. The vulnerability involves memory corruption when processing graphics data, and Qualcomm's own advisory describes it as an integer overflow that was originally reported to Google's Android Security team in December 2025 [3].​‌‌​​​​‌‍​‌‌​‌‌‌​‍​‌‌​​‌​​‍​‌‌‌​​‌​‍​‌‌​‌‌‌‌‍​‌‌​‌​​‌‍​‌‌​​‌​​‍​​‌​‌‌​‌‍​‌‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌‌​​‌​‍​‌‌​​​‌‌‍​‌‌​‌​​​‍​​‌​‌‌​‌‍​​‌‌​​‌​‍​​‌‌​​​​‍​​‌‌​​‌​‍​​‌‌​‌‌​‍​​‌​‌‌​‌‍​‌‌‌​​​​‍​‌‌​​​​‌‍​‌‌‌​‌​​‍​‌‌​​​‌‌‍​‌‌​‌​​​‍​​‌​‌‌​‌‍​​‌‌​​​‌‍​​‌‌​​‌​‍​​‌‌‌​​‌‍​​‌​‌‌​‌‍​‌‌‌​‌‌​‍​‌‌‌​‌​‌‍​‌‌​‌‌​​‍​‌‌​‌‌‌​‍​‌‌​​‌​‌‍​‌‌‌​​‌​‍​‌‌​​​​‌‍​‌‌​​​‌​‍​‌‌​‌​​‌‍​‌‌​‌‌​​‍​‌‌​‌​​‌‍​‌‌‌​‌​​‍​‌‌​‌​​‌‍​‌‌​​‌​‌‍​‌‌‌​​‌‌‍​​‌​‌‌​‌‍​‌‌​​​‌​‍​‌‌‌​‌​‌‍​‌‌‌​​‌‌‍​‌‌​‌​​‌‍​‌‌​‌‌‌​‍​‌‌​​‌​‌‍​‌‌‌​​‌‌‍​‌‌‌​​‌‌‍​​‌​‌‌​‌‍​‌‌​​‌​​‍​‌‌​​‌​‌‍​‌‌‌​‌‌​‍​‌‌​‌​​‌‍​‌‌​​​‌‌‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​‌‌​​​‌‌‍​‌‌​‌​​​‍​‌‌​​‌​‌‍​‌‌​​​‌‌‍​‌‌​‌​‌‌‍​‌‌​‌‌​​‍​‌‌​‌​​‌‍​‌‌‌​​‌‌‍​‌‌‌​‌​​

CVE-2026-0006 (Critical): A remote code execution (RCE) vulnerability in the System component. The classification is significant: "critical" in Android security bulletins means an attacker can exploit it to execute arbitrary code remotely with no user interaction required [1]. No suspicious link to click. No attachment to open. Just a device on the internet.

Related: Stop Patching Everything — The 1% Rule for SMB Security

---

The Business Exposure: Why Your Staff's Phones Are Your Problem Too

This is where many small businesses have a blind spot. The employee who uses their personal Android phone to check work email, log into the business Google Workspace, or approve invoices via a mobile app — their unpatched device is a direct bridge into your business systems.

According to NIST's Guidelines for Managing the Security of Mobile Devices in the Enterprise (SP 800-124r2), mobile devices accessing enterprise resources should be considered as equivalent-risk endpoints to laptops and desktops [7]. Yet most small businesses apply rigorous patching policies to their computers and almost none to mobile devices.

Verizon's 2025 Data Breach Investigations Report identified mobile devices as an increasingly common initial access vector, particularly in small and medium businesses where BYOD (bring your own device) policies are common but mobile device management (MDM) is absent [5].

The threat pattern is straightforward: an attacker exploits a vulnerability like CVE-2026-21385 to gain elevated access on a device. From there, they can access stored credentials, authentication tokens from banking or business apps, email, and — critically — any saved VPN configurations or cloud authentication cookies that provide access to your broader business environment.

According to IBM's 2025 Cost of a Data Breach Report, breaches involving mobile devices as an access vector carry a higher-than-average total cost due to the difficulty of detecting mobile-based intrusion through traditional network monitoring tools [6].

---

Which Devices Are Affected?

The Qualcomm vulnerability (CVE-2026-21385) affects Android devices using Qualcomm chipsets — which includes a significant majority of Android smartphones sold globally [3]. This covers most Samsung Galaxy, Google Pixel (earlier models), OnePlus, Xiaomi, Motorola, and other brands.

The critical RCE vulnerability (CVE-2026-0006) is in the Android System component itself, meaning it affects Android devices regardless of chipset manufacturer [1].

The two patch levels in the March bulletin — 2026-03-01 and 2026-03-05 — exist to give manufacturers different timelines to deploy chipset-specific fixes. If your device shows either date in its security patch level, it is protected [1].

How to check: Settings → About Phone → Android Version → Android Security Patch Level.

---

The Business Device Security Checklist

You do not need a mobile device management platform to handle this immediately. Here is a practical 5-point checklist for business owners with staff using Android devices to access business systems.

✅ Point 1 — Audit Which Devices Access Business Systems Right Now

Before you can patch, you need to know what's out there. Ask yourself:

• Which staff use personal or company Android phones to access business email, Google Workspace, Microsoft 365, or cloud tools?
• Which devices have your business Wi-Fi credentials saved?
• Which have access to customer databases, accounting software, or payment systems via mobile apps?

If you don't have this list already, send a quick message to your team today asking them to reply with the Android version and security patch level of any phone they use for work purposes.

✅ Point 2 — Check Security Patch Level on All Work-Accessed Devices

Instruct all staff to:

1. Open Settings
2. Go to About Phone
3. Tap Android Version or Software Information
4. Find Android Security Patch Level

Any device showing a patch level before March 2026 is currently vulnerable to both CVE-2026-21385 and CVE-2026-0006 [1].

✅ Point 3 — Update or Quarantine

For devices showing an old patch level:

• If an update is available (Settings → System → System Update), apply it immediately
• If the device manufacturer has not yet released the March patch, consider temporarily revoking that device's access to business systems until it is patched — particularly for any device with access to finance, admin, or customer data

According to CISA's Mobile Device Best Practices guidance, devices that cannot receive current security updates should not be permitted to access enterprise resources [8].

✅ Point 4 — Enable Auto-Update for Security Patches

On Android: Settings → System → System Update → tick "Automatic system updates" if available. Note that this only covers Google's security patches — manufacturer-specific updates (Samsung One UI, for example) may require a separate auto-update setting.

The Australian Signals Directorate's Annual Cyber Threat Report identifies unpatched mobile operating systems as a consistent attack vector used against Australian businesses [4]. Automatic updates remove the human step from what should be a routine process.

✅ Point 5 — Review What Business Data Is Accessible from Mobile

This is the strategic fix that protects you regardless of what vulnerabilities emerge next month.

• In Microsoft 365 Admin Center or Google Workspace Admin Console, review which apps have been granted mobile access, and enable conditional access policies that require devices to meet a minimum patch level
• Consider whether staff genuinely need mobile access to your highest-risk systems, or whether a "view-only" mobile experience reduces your exposure without reducing productivity
• If your business regularly handles sensitive data (health, financial, legal), an entry-level Mobile Device Management (MDM) solution like Microsoft Intune (included in Microsoft 365 Business Premium) allows you to remotely wipe devices and enforce patch-level requirements — NIST specifically recommends MDM for businesses where mobile data access is routine [7]

---

The Bigger Picture: Mobile Is Now a Primary Attack Surface

This month's Android bulletin is not an anomaly — it reflects a broader trend. According to the Microsoft Digital Defense Report 2025, mobile device exploitation has increased year-over-year as attackers follow the data: business information increasingly lives on mobile devices, so mobile devices increasingly attract attacks [8].

The good news is that mobile security hygiene is largely solved by three things: keeping software updated, limiting what data and access mobile devices can reach, and having a clear policy about what happens when a device is lost or compromised.

None of those require a large budget. They require clarity about what you're protecting and a decision to take 30 minutes to protect it.

Your business's fitness, resilience, and ability to keep serving clients depends on the security of every device that touches your data — not just the computers on your desks.

---

FAQ

References

[1] Google, "Android Security Bulletin—March 2026," Android Open Source Project, Mar. 2026. [Online]. Available: https://source.android.com/docs/security/bulletin/2026/2026-03-01

[2] The Hacker News, "Google Confirms CVE-2026-21385 in Qualcomm Android Component Exploited," The Hacker News, Mar. 3, 2026. [Online]. Available: https://thehackernews.com/2026/03/google-confirms-cve-2026-21385-in.html

[3] Qualcomm, "March 2026 Security Bulletin," Qualcomm Technologies, Mar. 2026. [Online]. Available: https://docs.qualcomm.com/securitybulletin/march-2026-bulletin.html

[4] Australian Signals Directorate, "ASD Annual Cyber Threat Report 2023-24," Australian Signals Directorate, 2024. [Online]. Available: https://www.cyber.gov.au/about-us/view-all-content/reports-and-statistics/asd-cyber-threat-report-july-2023-june-2024

[5] Verizon, "2025 Data Breach Investigations Report," Verizon Business, 2025. [Online]. Available: https://www.verizon.com/business/resources/reports/dbir/

[6] IBM Security, "Cost of a Data Breach Report 2025," IBM, 2025. [Online]. Available: https://www.ibm.com/reports/data-breach

[7] NIST, "SP 800-124 Rev. 2: Guidelines for Managing the Security of Mobile Devices in the Enterprise," National Institute of Standards and Technology, 2023. [Online]. Available: https://csrc.nist.gov/publications/detail/sp/800-124/rev-2/final

[8] Microsoft, "Microsoft Digital Defense Report 2025," Microsoft Security, 2025. [Online]. Available: https://www.microsoft.com/en-us/security/security-insider/microsoft-digital-defense-report-2025

[9] CISA, "Mobile Device Best Practices," Cybersecurity and Infrastructure Security Agency, 2024. [Online]. Available: https://www.cisa.gov/resources-tools/resources/mobile-device-best-practices

[10] SecurityWeek, "Android Update Patches Exploited Qualcomm Zero-Day," SecurityWeek, Mar. 2026. [Online]. Available: https://www.securityweek.com/android-update-patches-exploited-qualcomm-zero-day/amp/

---

Not sure whether your staff's mobile devices are putting your business at risk? Book a free mobile security review with lilMONSTER — we'll audit your business's mobile access policies and give you a clear, actionable remediation plan.