Google Patches 47 Vulnerabilities in March Android Security Update

Google's March 2026 Android security bulletin addresses 47 vulnerabilities, including three critical remote code execution flaws in the System component that could be exploited without any user interaction on devices running Android 12 through 15.

The most severe vulnerability, CVE-2026-20891, is a critical bug in the Android Bluetooth stack that allows a nearby attacker to execute arbitrary code with elevated privileges. No user interaction or special permissions are required for exploitation.

Two additional critical vulnerabilities (CVE-2026-20893 and CVE-2026-20897) affect the Android media framework and could allow remote code execution through specially crafted media files delivered via MMS or web browsing.

Google said there are no indications that any of the patched vulnerabilities are being actively exploited in the wild. However, the company noted that proof-of-concept exploits for CVE-2026-20891 have been circulating in security research circles.

Pixel devices will receive the update immediately through over-the-air updates. Samsung, OnePlus, and other major OEMs have committed to distributing the patches within the next two weeks.