A memory corruption vulnerability across a broad range of Qualcomm chipsets has been confirmed by CISA as actively exploited, prompting a federal patch deadline of March 24, 2026.
What Is It
CVE-2026-21385 is an integer overflow or wraparound vulnerability (CWE-190) in Qualcomm chipset firmware, triggered in the handling of alignments during memory allocation. The arithmetic flaw leads to memory corruption downstream. It carries a CVSS 3.1 base score of 7.8 (HIGH) with vector AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, meaning a local attacker with low privileges and no user interaction can achieve full confidentiality, integrity, and availability impact on the affected device.
Why It Matters
CISA added CVE-2026-21385 to the Known Exploited Vulnerabilities (KEV) catalog on March 3, 2026, confirming evidence of active exploitation in the wild. Ransomware campaign use is currently listed as "Unknown." Because the flaw lives in low-level chipset firmware, successful exploitation gives an attacker a foothold beneath the operating system layer, with high impact across confidentiality, integrity, and availability. The local attack vector makes it most relevant as a privilege escalation or post-compromise primitive, and it could plausibly be paired with a remote vector to deliver a complete exploit chain on Android handsets and other Qualcomm-powered devices, though no such chaining has been publicly confirmed.
What's Vulnerable
The vulnerability spans a broad set of Qualcomm chipset firmware, including (per NVD CPE data):
- Snapdragon 4 Gen 1 Mobile Platform
- SM7675P, SM8475P, SM8550P, SM8635, SM8635P, SM8650Q, SM8750P
- Smart Audio 400 Platform
- Smart Display 200 Platform
NVD lists additional affected chipsets beyond this sample. Because Qualcomm silicon is embedded in a wide array of OEM devices (phones, tablets, IoT, audio, and display platforms), the downstream exposure surface is substantial.
Patch Status
Qualcomm published fixes in its March 2026 Security Bulletin, and the fix is incorporated into the Android Security Bulletin for March 1, 2026. CISA's required action is to apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. Federal civilian agencies were required to remediate by March 24, 2026. Because patch delivery depends on device OEMs, CISA explicitly directs operators to check with their specific vendor for patch availability.