Google has issued its March Android Security Bulletin, patching a critical 129 vulnerabilities. Among these is a zero-day flaw in a Qualcomm display component, which may be under "targeted, limited exploitation." The update also addresses 10 critical severity bugs within Android's core System and Kernel components, including remote code execution and privilege escalation vulnerabilities.
This month's patches also tackle issues in components from Qualcomm, MediaTek, Arm, and others, though not all Android devices will be affected. The zero-day, CVE-2026-0006, is a remote code execution vulnerability in the System component requiring no user interaction. Another critical flaw, CVE-2025-48631, is a denial-of-service bug in System, and CVE-2026-0047 is an escalation of privilege vulnerability in Framework.
Users are strongly advised to install the latest security patch as soon as it is available via a system notification. While Google pushes updates for its Pixel devices and the core Android Open Source Project (AOSP), users of other manufacturers' devices like Samsung, Motorola, or Nokia might experience a slight delay. The update includes two patch levels: 2026-03-01 and 2026-03-05, with the latter containing all fixes. Users can check for updates in Settings > Security & privacy > System & updates > Security update.