A record-breaking 129 reasons why Project Mainline is paying off.
With spring in the air in some parts of the U.S. and the sun staying out longer, it seemed apt to cover Android's biggest spring cleaning in years. Last week, while we were all distracted by the Pixel 10a's varying colorways and boringly solid performance, Google pushed out one of the biggest security updates for the operating system in nearly a decade. About 129 bugs were squashed in the March 2026 security update.
To put it in perspective, that's the highest number of bug fixes in a single month since April 2018. The fixes aren't just for the Android source code either. They include patches for components from Qualcomm, Arm, and MediaTek, all major players and manufacturers of the brains and motors of Android devices.
One of the biggest patches was for Qualcomm's graphics drivers. The flaw (CVE-2026-21385) is an "integer overflow" in the display component that allows an attacker to corrupt the device's memory through a malicious app. Once that memory is corrupted, the attacker can exploit the bug to gain deeper access to your data. The patch is considered a zero-day, meaning hackers were already exploiting it before a fix was available. It affects over 230 different Qualcomm chipsets. Whether you have the Galaxy S26 or a budget Moto G, you're likely on the list for an update.
And then there's the no interaction bug, just as critical to patch and arguably more dangerous than the one that enters your system through display drivers. CVE-2026-0006 is a "Remote Code Execution" (RCE) vulnerability, meaning you don't have to do anything for it to get triggered. It resides in one of Android's system components, specifically Media Codecs. If your device is unpatched, an attacker can flood it with a specially crafted data package that overwhelms the phone's memory, effectively blasting a hole into your system from afar.
You can read the full list of vulnerabilities and their alphanumeric monikers in Android's official security bulletin, released on March 1. The good news is that Project Mainline, which we've covered exhaustively here at Android Faithful, will handle it through a massive Google Play system update, which already went out the first week of March. That Media Codecs vulnerability, for instance, is addressed directly through the Play Store. You don't have to wait for your carrier or device manufacturer to address the vulnerability before receiving care.
Think you might be affected? Fortunately, you can check on it. On most modern Android devices running Android 14/15/16, navigate to Settings > Security & Privacy > System & Updates. Check that the security update shows March 5, 2026. Then check that the Google Play system update shows March 1, 2026.
Ha, I just checked, and apparently my Pixel 10 Pro didn't have the latest Google Play system update! Whoops! I'm going to take care of that now!
We couldn't help it with the muscular photo of the Android bot. Android's clearly in its working-out era. Jason and I give our initial impressions of the Google Pixel 10a and the Samsung Galaxy S26 Ultra. And Ron is back! We also address a handful of reader questions and feedback.
Speaking of impressions, I have started my three-part epic on the Galaxy S26 Ultra. Yes, I know it's already on sale, but I have a rare opportunity to avoid "rushing" a review for web traffic's sake. Plus, Gemini's Android app control just rolled out this week. Stick with me, I promise we'll learn something new together. So much has changed in Android benchmarking and other stress tests.
This week, I wrote all about the Galaxy S26 Ultra's physicality: how it feels in your hand, how it handles daily tasks, and how hot it gets. Check it out. I'll follow up with parts two and three next week.
