CVE-2026-21385

Lookout Coverage and Recommendation for Admins

To ensure your devices are protected, Lookout admins should take the following actions in their Lookout console:

1. Immediate OS Update (Priority: Critical): Ensure that the “Patch Level Out-of-Date” policy is enabled for your fleet. You can choose whether to alert the user that the device is out of compliance or block access to work apps until the Android Security Patch Level (ASPL) is updated to the latest version.

The fix is delivered via the March 5, 2026 ASPL. Action: If the patch level is dated prior to March 2026, check for updates immediately. Google Pixel and Samsung Galaxy devices are typically the first to receive these rollouts.

2. Application Vetting: Since the attack vector requires a local application to trigger the overflow, remove any unnecessary or "sideloaded" (APK) applications from untrusted sources.

3. Enterprise MDM Enforcement for organizations managing a fleet of mobile devices, set a compliance rule in your Mobile Device Management (MDM) software to block devices with a security patch level older than March 1, 2026. Also, automatically revoke access to corporate resources (Email, VPN, Slack) for non-compliant devices until the firmware is updated.

Overview

CVE-2026-21385 is a high-severity (CVSS 7.8) security flaw found in the Qualcomm Adreno GPU driver, the software that manages your phone's graphics. The issue stems from a "math error" in the Memory Management Unit (MMU), which is responsible for organizing how the phone allocates space for graphics data.

Because of this error, the driver can miscalculate the size of the memory buffers it creates. This allows an attacker to intentionally "overflow" data into restricted areas, corrupting the system's memory at a very deep level. This poses a significant risk to Android devices, as it creates a path for malicious apps to bypass standard security and gain unauthorized access to the system.

Disclosed in early March 2026, Google’s Threat Analysis Group (TAG) has confirmed that this flaw is currently being leveraged in active, real-world attacks via specialized local privilege escalation. It has been added to the U.S. Cybersecurity and Infrastructure Security Agency's (CISA) Known Exploited Vulnerabilities (KEV) catalog as of March 3, 2026. The federal deadline to have all vulnerable devices patched is March 24, 2026. While this mandate applies to federal agencies, enterprise organizations are strongly advised to follow the same timeline.

Lookout Analysis

This vulnerability is a calculation error in the way the phone's graphics hardware manages its internal memory. The exploitation of CVE-2026-21385 typically follows these steps:

Error: A malicious app can send a specific request that causes the phone’s memory counter to "roll over" and miscalculate how much space it needs.
Result: Because of this miscalculation, the phone allocates a tiny amount of memory for a large amount of data. This causes the data to "overflow" into protected areas of the phone's system.
Risk: This memory overflow allows a basic app to bypass your phone’s security barriers. Once those barriers are broken, the app gains "Master" permissions, allowing it to access your private data, messages, and camera without your knowledge.