Google patched 129 Android vulnerabilities in March 2026. One of them, CVE-2026-21385, was already being exploited. Not by criminals. By surveillance operators.
The vulnerability is in Qualcomm’s KGSL driver, the kernel-level component that manages GPU memory for the Adreno GPU. The root cause: a function called kgsl_memdesc_get_align() used a signed int return type. When user-supplied alignment values went through bit-shift operations, sign extension produced incorrect values. The memory allocation logic got corrupted. From there: arbitrary kernel memory corruption, privilege escalation, full device compromise.
The fix was changing the return type from signed int to unsigned u32. One type annotation.
234 Qualcomm chipsets are affected. Snapdragon 8 Gen 3 to budget 4-series chips. Automotive platforms. Wearables. XR devices. If it has an Adreno GPU, it was vulnerable.
Who found it and what that tells you
Google’s Threat Analysis Group reported the flaw. TAG does not hunt for generic bugs. They investigate government-backed hacking and commercial spyware operations. Their involvement is the strongest signal available that this vulnerability was weaponized by a surveillance vendor. Google’s bulletin uses the standard language: “limited, targeted exploitation.” That phrase means it is too narrow to be criminal infrastructure and too deliberate to be opportunistic.
No public IOCs. No campaign details. No attribution. That pattern is consistent with commercial spyware discoveries where legal and diplomatic considerations limit disclosure.
The KGSL driver keeps showing up
This is not the first time Qualcomm’s GPU driver has been exploited by surveillance operators. CVE-2024-43047 in the DSP service. CVE-2023-33063, CVE-2023-33106, CVE-2023-33107 in the Adreno GPU. CVE-2021-1905, a use-after-free. The KGSL driver is a kernel-level component accessible from userspace through ioctl calls, processing untrusted input at high frequency. It is a persistent, rich attack surface that surveillance vendors return to because it works.
The patch gap
Qualcomm had fixes ready in January. Public disclosure happened in March. CISA set a remediation deadline of March 24. But the fix requires Android security patch level 2026-03-05, and the reality of Android fragmentation means most devices will not see this update for months. Devices out of manufacturer support will never see it.
A signed integer type error in a GPU memory allocator. Discovered while investigating a surveillance campaign. Affecting a quarter-billion Android devices. Most of which will remain vulnerable indefinitely. The vulnerability itself is a one-line fix. The ecosystem that prevents that fix from reaching devices is the actual problem.