PatchSiren cyber security CVE debrief
CVE-2026-21385 Qualcomm CVE debrief
CVE-2026-21385 is a Qualcomm memory corruption vulnerability affecting multiple chipsets and was added to CISA’s Known Exploited Vulnerabilities catalog on 2026-03-03. In practical terms, this is a high-priority issue for organizations that use affected Qualcomm-based devices, especially where patching depends on downstream OEM release timing.
- Vendor
- Qualcomm
- Product
- Multiple Chipsets
- CVSS
- Unknown
- CISA KEV
- Listed
- Original CVE published
- 2026-03-03
- Original CVE updated
- 2026-03-03
- Advisory published
- 2026-03-03
- Advisory updated
- 2026-03-03
Who should care
Security teams managing Qualcomm-based devices, OEM patch and firmware rollouts, mobile/device fleet operators, and incident response teams tracking known exploited vulnerabilities should pay attention. Organizations should also check with the specific device vendor or OEM for patch availability and deployment guidance.
Technical summary
The supplied corpus identifies the issue only as a memory corruption vulnerability in Qualcomm multiple chipsets. CISA’s KEV listing marks it as a known exploited vulnerability and directs defenders to apply vendor mitigations, follow BOD 22-01 guidance where applicable, or discontinue use if mitigations are unavailable. The source notes also advise checking with specific vendors/OEMs for patching status.
Defensive priority
Immediate. KEV inclusion means this should be treated as a priority remediation item rather than a routine patch cycle vulnerability.
Recommended defensive actions
- Confirm whether any in-scope devices or components rely on affected Qualcomm chipsets.
- Check the relevant OEM or device vendor for patch availability and firmware/security bulletin status.
- Apply vendor-provided mitigations or updates as soon as they are available.
- If mitigations are unavailable, follow CISA guidance and consider discontinuing use of the affected product where appropriate.
- Track remediation progress against the KEV due date of 2026-03-24.
- Validate exposure across cloud-managed or fleet-managed environments and document exceptions.
Evidence notes
Evidence is limited to the supplied CISA KEV source item and official references. The KEV metadata names the issue as "Qualcomm Multiple Chipsets Memory Corruption Vulnerability," lists Qualcomm as the vendor project, and records dateAdded as 2026-03-03 with dueDate 2026-03-24. The source notes instruct defenders to check with specific vendors/OEMs for patching status and refer to official Qualcomm-related advisory material via the linked Android security bulletin and NVD record. No CVSS score was provided in the supplied corpus.
Official resources
-
CVE-2026-21385 CVE record
CVE.org
-
CVE-2026-21385 NVD detail
NVD
-
CISA Known Exploited Vulnerabilities catalog
CISA - Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
-
Source item URL
cisa_kev
CISA added CVE-2026-21385 to the Known Exploited Vulnerabilities catalog on 2026-03-03. The supplied corpus does not provide a CVSS score, exploit details, or affected chipset list, so remediation guidance is limited to vendor/OEM patching,