CVE-2026-21385

CISA KEV

Published March 3, 2026 · Updated April 3, 2026

high

What This Means

# CVE-2026-21385: Qualcomm Chipset Memory Corruption **What it is:** Multiple Qualcomm chipsets contain a memory corruption flaw in memory allocation alignment routines that attackers can exploit to execute arbitrary code or crash devices. **Impact:** Devices using affected Qualcomm chipsets are vulnerable to local privilege escalation or denial of service depending on the chipset model and Android/firmware version deployed. **Action items:** Identify Qualcomm chipset inventory across mobile and IoT devices using Qualcomm's advisory or your MDM/asset management tools. Prioritize patching Android devices and firmware updates from OEMs (Samsung, Google Pixel, OnePlus, etc.) as Qualcomm releases mitigations. Monitor vendor advisories—Qualcomm typically publishes affected chipset model numbers and patch timelines on their security bulletin page.

Official Description+

Multiple Qualcomm chipsets contain a memory corruption vulnerability while using alignments for memory allocation.

Affected Products

Vendor	Product
Qualcomm	Multiple Chipsets

Patch Status

Patch by 2026-03-24

Recommended Actions

Check if your systems use any of the affected products listed above.
Apply vendor patches immediately if available.
This vulnerability is in CISA's Known Exploited Vulnerabilities catalog — prioritize remediation.
Monitor vendor advisories for updates and additional mitigations.
Review logs for indicators of compromise related to CVE-2026-21385.

Related Coverage

Vvulnerability

CVE-2026-21385: Qualcomm Chipset Memory Corruption Flaw Enables Privilege Escalation Across Mobile and IoT Devices

CVE-2026-21385 is a memory corruption vulnerability affecting multiple Qualcomm chipsets, triggered by improper alignment handling during memory allocation. Successful local exploitation can lead to privilege escalation or denial of service on Android smartphones, tablets, and IoT devices using Qualcomm silicon. CISA mandates federal agency remediation by 2026-03-24; enterprises should immediately inventory affected devices and apply OEM-issued patches.

CISA KEV·31d ago·3 min read