CVE-2026-21385

Overview

Actively Exploited. This vulnerability has been added to CISA's Known Exploited Vulnerabilities (KEV) Catalog on March 3, 2026 with a remediation deadline of March 24, 2026. Federal agencies are required to apply mitigations per BOD 22-01.

CVE-2026-21385 is a memory corruption vulnerability in Qualcomm chipset firmware. The flaw occurs due to improper use of alignment values during memory allocation, leading to an integer overflow (CWE-190) that can corrupt adjacent memory. A local attacker with low privileges can exploit this to achieve arbitrary code execution, full data disclosure, or a denial-of-service condition on the affected device.

Rapid KEV Listing: Evidence of Zero-Day Exploitation

This CVE achieved an exceptionally fast CISA KEV listing: published March 2, added to KEV March 3 (one day). This rapid timeline is a strong indicator of active, in-the-wild exploitation prior to public disclosure.

CISA KEV Requirement: The catalog only includes vulnerabilities with confirmed evidence of active exploitation. They do not add CVEs based on severity scores alone. The one-day turnaround indicates CISA had exploitation evidence before or synchronized with the public advisory.

What This Likely Means

Pre-disclosure exploitation phase: The vulnerability was likely discovered in the wild weeks or months before March 2, then reported through responsible disclosure channels (possibly Google TAG, Amnesty International Security Lab, or similar threat-intelligence groups).
Coordinated embargo & disclosure: Qualcomm, Google (Android), and CISA coordinated the public release:
- Qualcomm published the March 2026 Security Bulletin with patches
- Google released the Android 2026-03-01 security patch simultaneously
- CISA added the CVE to KEV on March 3 with evidence in hand
Historical pattern: Qualcomm chipset vulnerabilities are frequently discovered in targeted surveillance/spyware campaigns (against journalists, activists, and dissidents). This exploit pattern mirrors previous zero-days like those in Pegasus.

Vulnerability Description

Memory corruption while using alignments for memory allocation.

The root cause is an integer overflow or wraparound (CWE-190) triggered when alignment parameters used during dynamic memory allocation are not properly validated. When a crafted alignment value causes the computed allocation size to wrap around, the allocator returns a buffer that is smaller than expected. Subsequent writes to this undersized buffer corrupt adjacent heap memory, which an attacker can leverage for code execution at the firmware or kernel level.

Affected Components

This vulnerability affects firmware across a massive range of Qualcomm chipsets spanning mobile, automotive, IoT, audio, connectivity, wearable, compute, and XR platforms. Over 230 distinct hardware configurations are listed in the NVD.

Snapdragon Mobile Platforms

Snapdragon 4 Gen 1 Snapdragon 4 Gen 2 Snapdragon 429 Snapdragon 460 Snapdragon 480 / 480+ 5G Snapdragon 6 Gen 1 Snapdragon 6 Gen 3 Snapdragon 6 Gen 4 Snapdragon 625 / 626 Snapdragon 660 / 662 Snapdragon 680 4G Snapdragon 685 4G Snapdragon 690 5G Snapdragon 695 5G Snapdragon 7 Gen 1 Snapdragon 7+ Gen 2 Snapdragon 7s Gen 3 Snapdragon 778G / 778G+ 5G Snapdragon 782G Snapdragon 8 Gen 1 Snapdragon 8+ Gen 1 Snapdragon 8 Gen 2 Snapdragon 8+ Gen 2 Snapdragon 8 Gen 3 Snapdragon 8 Elite Snapdragon 8 Elite Gen 5 Snapdragon 865 / 865+ 5G Snapdragon 870 5G Snapdragon 888 / 888+ 5G Qualcomm 215

Automotive & IoT

Snapdragon 820 Automotive Snapdragon Auto 5G Modem-RF SA6145P / SA6150P / SA6155P SA7255P / SA7775P SA8145P – SA8295P SA8620P / SA8770P / SA9000P LeMans AU / LeMans AU LGIT Monaco IoT Robotics RB2 / RB5 Flight RB5 5G IQ-615 / IQ-8275 / IQ-8300 IQ-9075 / IQ-9100 Vision Intelligence 100 / 200 / 400 Smart Audio 400 / Smart Display 200

Connectivity & Modems

FastConnect 6200 / 6700 / 6800 / 6900 / 7800 QCA6174A / QCA6391 / QCA6564A QCA6574 / QCA6584AU / QCA6595 QCA6678AQ / QCA6688AQ / QCA6696 / QCA6698AQ QCA6797AQ / QCA8081 / QCA8337 QCA9367 / QCA9377 / QCA2066 WCN3615 / WCN3620 / WCN3660B / WCN3680B WCN3910 / WCN3950 / WCN3980 / WCN3988 / WCN3990 WCN6450 / WCN6650 / WCN6755 WCN7860 / WCN7861 / WCN7880 / WCN7881 Snapdragon X5 / X12 LTE Modem Snapdragon X53 / X55 / X65 5G Modem-RF 5G Fixed Wireless Access Platform

XR, Wearable & Compute

Snapdragon XR2 5G / XR2+ Gen 1 Snapdragon AR1 Gen 1 / AR1+ Gen 1 Snapdragon W5+ Gen 1 Wearable Snapdragon 7c+ Gen 3 Compute SC8380XP SW5100 / SW5100P / SW6100 / SW6100P

Audio Codecs & Amplifiers

WCD9326 / WCD9330 / WCD9335 / WCD9341 WCD9360 / WCD9370 / WCD9371 / WCD9375 WCD9378 / WCD9380 / WCD9385 / WCD9390 / WCD9395 WSA8810 / WSA8815 / WSA8830 / WSA8832 WSA8835 / WSA8840 / WSA8845 / WSA8845H CSRA6620 / CSRA6640

Show additional affected chipsets & components…

APQ8098 AR8031 / AR8035 C-V2X 9150 FSM100 Platform G1 Gen 1 / G2 Gen 1 MDM9250 / MDM9628 Milos / Netrani / Orne Palawan25 / Pandeiro / Themisto QAM8255P / QAM8295P QAMSRV1H / QAMSRV1M QCM2290 / QCM4325 / QCM4490 QCM5430 / QCM6125 / QCM6490 QCN6024 / QCN9011 / QCN9012 / QCN9024 QCS2290 / QCS4290 / QCS4490 / QCS8550 QLN1083BD / QLN1086BD QMP1000 QPA1083BD / QPA1086BD QRB5165M / QRB5165N QXM1083 / QXM1086 / QXM1093 – QXM1096 SA4150P / SA4155P SAR1165P / SAR1250P / SAR2130P / SAR2230P SD626 / SD662 / SD865 5G / SDA660 / SDM429W SDX61 SM6225P / SM6650P / SM7325P / SM7435 SM7550 / SM7550P / SM7635P / SM7675 / SM7675P SM8475P / SM8550P / SM8635 / SM8635P SM8650Q / SM8750P SRV1H / SRV1M SXR2230P / SXR2250P / SXR2330P / SXR2350P Video Collaboration VC1 / VC3 / VC5 QCA8695AU

Am I Affected? Consumer Guidance

With 230+ affected chipsets spanning nearly a decade of Qualcomm products, determining if your device is vulnerable can be challenging. Here's practical guidance by platform.

Samsung Galaxy Series

Samsung Galaxy S25, S24, S23, S22, S21, S20 — All use affected Snapdragon chipsets:

Galaxy S25: Snapdragon 8 Elite ✓ affected
Galaxy S24: Snapdragon 8 Gen 3 ✓ affected
Galaxy S23: Snapdragon 8 Gen 2 ✓ affected
Galaxy S22: Snapdragon 8 Gen 1 ✓ affected
Galaxy S21: Snapdragon 888 ✓ affected

Also affected: OnePlus flagship models, Xiaomi flagship models, and virtually all Android phones with Snapdragon processors from ~2017 onward.

Google Pixel Phones

Pixel 6 and newer (Pixel 6, 7, 8, 8 Pro, 9): These use Google's Tensor chips (based on Samsung Exynos), *not* Qualcomm SoCs. They are **not directly listed** in this Qualcomm advisory.

However, older Pixel phones used Qualcomm Snapdragon SoCs and may be affected:

Pixel 5 / 5a: Snapdragon 765G — not explicitly listed, but closely related to listed chipsets
Pixel 4 / 4a: Snapdragon 855 / 730G — similar era chipsets
Pixel 3 / 3a: Snapdragon 845 / 670

⚠ Pixel 5 and older are past Google's end-of-life for security updates and may never receive a patch for this vulnerability. Consider replacing these devices.

Apple iPhones & iPads

Apple devices use Apple-designed A-series / M-series SoCs — they are not listed in this Qualcomm advisory. However, there is a nuance:

iPhone 12 / 13 series: Use Qualcomm Snapdragon X55 5G modem ✓ modem is on the affected list
iPhone 14 series: Uses Qualcomm Snapdragon X65 5G modem ✓ modem is on the affected list
iPhone 15 / 16 series: Use newer Qualcomm modems (X70/X75) — not explicitly listed in this advisory
iPads with cellular: Also use Qualcomm modems in many models

Key distinction: While iPhones contain Qualcomm modem components, this CVE is a Qualcomm platform firmware vulnerability. Apple controls its own firmware stack independently and Apple is not listed as an affected vendor in this advisory. The exploitability of this specific flaw through just the modem component is unclear.

Bottom line for iPhone users: This CVE is primarily an Android / Windows on ARM / IoT concern. There is no Apple security advisory related to CVE-2026-21385 at this time. Keep your iPhone updated to the latest iOS version.

Windows Copilot+ PCs (Snapdragon X Elite Laptops)

Affected devices include:

Microsoft Surface Laptop (Snapdragon X Elite / SC8380XP) ✓ affected
Lenovo Yoga Slim 7x, ThinkPad T14s Gen 6
Dell XPS 13 (2024, ARM version)
HP OmniBook X, ASUS Vivobook S 15

All Windows on ARM devices using Snapdragon X Elite or X Plus chipsets are impacted.

How to Identify Your Chipset

Platform	Steps
Android	Settings → About Phone → Processor, or install CPU-Z / DevCheck from the Play Store
Windows	Settings → System → About → Processor field, or press `Win+R` and type `msinfo32`
Automotive	Check your vehicle's infotainment system "About" menu, or consult your manufacturer's website

How to Verify You're Patched

Platform	How to Check
Android	Settings → About Phone → Android security patch level — must show `2026-03-01` or later
Windows on ARM	Settings → Windows Update + your OEM's firmware tool (Dell Update, Lenovo Vantage, Surface app)
IoT / Automotive	Check with your device or vehicle manufacturer for firmware update availability

Quick Action Guide

Assume you're affected if you have any Qualcomm Snapdragon device from ~2017 onward.
Update immediately — Android: install all system updates until patch level reads 2026-03-01 or later. Windows ARM: run Windows Update and your OEM firmware tool.
Note: Some OEMs lag behind by weeks. Samsung, Google, and OnePlus typically patch quickly. Budget brands may take longer.
If no patch is available: Avoid untrusted apps, disable USB debugging, and restrict local access until updates arrive.

Impact

Impact Area	Detail
Confidentiality	High — Full disclosure of sensitive data in memory
Integrity	High — Arbitrary code execution at firmware/kernel level
Availability	High — Complete denial of service to the device
Attack Vector	Local — attacker needs local access or a local process on the device
Privileges Required	Low — minimal user-level privileges required
User Interaction	None — no user action needed to trigger

Mitigation & Remediation

CISA BOD 22-01 Deadline: March 24, 2026. Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Recommended Actions

Apply the Qualcomm March 2026 Security Bulletin patch — available from Qualcomm and distributed through OEM firmware updates.
Apply the Android March 2026 Security Patch Level (2026-03-01) — addresses this CVE for Android devices using affected Qualcomm SoCs.
Ensure all affected devices receive the latest firmware/baseband updates from their OEM.
Monitor CISA KEV Catalog for any updated guidance.
Restrict local access and enforce least-privilege policies on affected systems (automotive head units, IoT gateways, robotics platforms, etc.).

Property	Value
CVE ID	CVE-2026-21385
Vendor / Product	Qualcomm — Multiple Chipsets
NVD Published	2026-03-02
NVD Last Modified	2026-03-04
CVSS 3.1 Score	7.8
CVSS 3.1 Vector	`CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H`
Severity	HIGH
CWE	CWE-190 — Integer Overflow or Wraparound
CISA KEV Added	2026-03-03
CISA KEV Deadline	2026-03-24
Known Ransomware Use	No

Date	Event
2026-03-02	CVE published on NVD; Qualcomm March 2026 Security Bulletin released
2026-03-03	Added to CISA Known Exploited Vulnerabilities Catalog
2026-03-04	NVD record last modified
2026-03-24	CISA BOD 22-01 remediation deadline

Resource	Type
NVD — CVE-2026-21385	Vulnerability Database
Qualcomm March 2026 Security Bulletin	Vendor Advisory / Patch
Android Security Bulletin — 2026-03-01	Vendor Advisory
CISA KEV Catalog Entry	US Government
CISA BOD 22-01	Remediation Directive
CWE-190 — Integer Overflow or Wraparound	Weakness Classification