嗯,用户让我帮忙总结一下这篇文章的内容,控制在100个字以内,而且不需要用“文章内容总结”之类的开头。我得先仔细读一下文章,抓住主要信息。 文章主要讲的是Google确认了一个高危漏洞CVE-2026-21385被实际利用了。这个漏洞影响的是Qualcomm的组件,用于Android设备。漏洞类型是缓冲区溢出,可能导致攻击者访问敏感内存数据。Google在3月的更新中修复了这个漏洞,还提到了其他一些关键漏洞。 接下来,我需要把这些信息浓缩到100字以内。首先点出Google确认了漏洞被利用,然后说明漏洞的影响和类型,最后提到修复措施和其他关键漏洞。 可能会遇到的问题是信息太多,如何精简而不遗漏关键点。比如,“高危漏洞”、“缓冲区溢出”、“访问敏感数据”、“修复”等关键词必须保留。 再检查一下是否符合用户的要求:用中文、100字以内、直接描述内容。看起来没问题了。 </think> Google确认高危漏洞CVE-2026-21385被实际利用,影响Qualcomm组件的Android设备。该漏洞可能导致内存数据泄露。3月更新修复了包括此漏洞在内的129个问题,并公布了其他关键安全风险。 2026-3-3 10:3:6 Author: securityaffairs.com(查看原文) 阅读量:9 收藏
Android devices hit by exploited Qualcomm flaw CVE-2026-21385
Google confirms that the Qualcomm Android vulnerability CVE-2026-21385 was exploited in real-world attacks.
Google has confirmed that CVE-2026-21385 (CVSS score of 7.8), a high-severity vulnerability affecting an open-source Qualcomm component used in Android devices, has been actively exploited.
“There are indications that CVE-2026-21385 may be under limited, targeted exploitation.” reads Google’s advisory.
The flaw is a buffer over-read in the Graphics component that could allow attackers to access sensitive memory data, underscoring ongoing risks to Android users.
The company did not disclose technical details about the attacks exploiting this vulnerability.
“Integer Overflow or Wraparound in Graphics” reads the Qualcomm advisory. “Memory corruption while using alignments for memory allocation.”
Qualcomm received a report about CVE-2026-21385 from Google’s Android Security team on December 18, 2025, and notified customers on February 2, 2026. Google says it sees signs of limited, targeted exploitation, though it has not shared technical details. The March 2026 Android update fixes 129 vulnerabilities, including the critical CVE-2026-0006, which allows remote code execution without user interaction or additional privileges.
Android Security Bulletin March 2026 addressed the following critical flaws:
Framework
CVE-2026-0047 (CVSS score of 8,8) – Critical Framework Elevation of Privilege, local privilege escalation without extra privileges; no user interaction needed.
System
CVE-2026-0006 (CVSS score of 9,8) – Critical System Remote Code Execution, remote code execution without privileges; no user interaction; most severe issue.
CVE-2025-48631 (CVSS score of 8,6) – Critical System Denial of Service, causes device/service denial; no extra privileges needed.
Kernel
CVE-2024-43859 (CVSS score of 8,8) – Critical Kernel Elevation of Privilege in Flash-Friendly File System, local file system privilege escalation.
CVE-2026-0037 (CVSS score of 9,0) – Critical protected Kernel-based Virtual Machine Elevation of Privilege, breaks virtual machine isolation with System privileges.
CVE-2026-0038 (CVSS score of 9,0) – Critical Hypervisor Elevation of Privilege, potential virtual machine escape to host control.
CVE-2026-0027 (CVSS score of 9,0) – Critical protected Kernel-based Virtual Machine Elevation of Privilege, kernel virtualization privilege escalation.
CVE-2026-0028 (CVSS score of 9,0) – Critical protected Kernel-based Virtual Machine Elevation of Privilege, local attacker escalates in protected virtual machines.
CVE-2026-0030 (CVSS score of 9,0) – Critical protected Kernel-based Virtual Machine Elevation of Privilege, high-impact virtualization isolation bypass.
CVE-2026-0031 (CVSS score of 9,0) – Critical protected Kernel-based Virtual Machine Elevation of Privilege, escalates privileges across virtual machine boundaries.
Google’s Android security bulletin introduces two patch levels, 2026-03-01 and 2026-03-05, to help device makers roll out fixes more quickly across different models. The later patch level adds updates for
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Google)
如有侵权请联系:admin#unsafe.sh