Google Patches Android Zero-Interaction DoS and Zero-Click adbd RCE Flaws
Google issued Android security updates to fix multiple high-severity flaws, including CVE-2026-0049, a critical Android Framework vulnerability that can trigger a local denial-of-service with no user interaction and no elevated privileges, and CVE-2026-0073, a critical remote code execution bug in the Android System component tied to the Android Debug Bridge Daemon (adbd). The adbd flaw affects Android 14, 15, 16, and 16-qpr2, and under proximal or adjacent network conditions could allow shell-level remote code execution on a target device without user action.
The April bulletin also addressed CVE-2025-48651, a high-severity StrongBox issue affecting hardware-backed key storage implementations from Google, NXP, STMicroelectronics, and Thales, with fixes split between the 2026-04-01 and 2026-04-05 patch levels. Google said the adbd issue is remediated by the 2026-05-01 security patch level or later and noted that, because adbd is delivered through Project Mainline, mitigations can reach Android 10 and later devices faster through Google Play system updates; organizations were urged to accelerate deployment of the April and May patches across managed mobile fleets.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
Google recommends May 2026 patch level or Play updates for adbd flaw
Google said devices should be updated to the 2026-05-01 security patch level or later to remediate CVE-2026-0073, noting that because adbd is delivered through Project Mainline, fixes can also be distributed quickly through Google Play system updates on Android 10 and later. Organizations were urged to prioritize immediate deployment across mobile fleets.
Google issues May 2026 Android bulletin fixing CVE-2026-0073
Google's May 2026 Android Security Bulletin addressed CVE-2026-0073, a critical zero-click remote code execution flaw in the Android System component tied to adbd under Project Mainline. The vulnerability affected Android 14, 15, 16, and 16-qpr2 and could allow shell-level remote code execution in proximal or adjacent network conditions without user interaction.
Google says April 2026 AOSP patches will follow within 48 hours
Alongside the April bulletin, Google said Android Open Source Project source code patches would be released within 48 hours of publication and urged users to install the April 2026 updates promptly. This was part of the coordinated rollout of the April fixes.
Google issues April 2026 Android security bulletin with CVE-2026-0049 fix
Google released the April 2026 Android Security Bulletin addressing multiple flaws, including CVE-2026-0049, a critical zero-interaction vulnerability in the Android Framework that could cause a local denial-of-service without user action or elevated privileges. The bulletin split fixes across the 2026-04-01 and 2026-04-05 patch levels and included remediation for the high-severity StrongBox issue CVE-2025-48651.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Google Patches Android Wireless ADB Auth Bypass Enabling Zero-Click Shell Access
Google fixed **CVE-2026-0073**, a critical flaw in Android’s `adbd` component that allowed a nearby attacker to bypass wireless ADB authentication and execute code as the **shell** user with no user interaction. The bug affected Android 14, 15, 16, and 16-QPR2, and was traced to a logic error in `adbd_tls_verify_cert` that mishandled certificate key comparisons, letting a malicious client certificate impersonate a trusted ADB host. Researchers said exploitation could expose data, install apps, alter settings, and provide a path toward broader device compromise. The vulnerability primarily exposed devices with **Developer Options** and **wireless debugging** enabled, where the attacker could reach ADB on TCP port `5555` and the device had at least one previously paired RSA host key. Google included the fix in the **2026-05-01** Android security patch level and also distributed remediation through the **Project Mainline adbd module** for supported devices, while stating it had no evidence of public exploitation or in-the-wild attacks. The issue was credited to **Ovi (@0x0v1) of Barghest**, and defenders were urged to apply updates, disable wireless ADB where unnecessary, revoke unknown debugging authorizations, and restrict network exposure to ADB services.
Jun 8, 2026
Google Patches Android Zero-Day and High-Severity XR Privilege Escalation Flaws
Google has issued its June 2026 Android security updates to fix **113 vulnerabilities**, including **18 critical** flaws and a zero-day tracked as `CVE-2025-48595` that the company said may be under limited, targeted exploitation. The zero-day affects the **Android Framework** and stems from an integer overflow memory-management issue that can enable code execution and potentially full device compromise. The update also addresses vulnerabilities in third-party components from **Qualcomm, MediaTek, and Unisoc**, and Google said devices running Android 10 or later can receive relevant fixes through Google Play services, with patch levels dated **2026-06-05** or later remediating the documented issues. Google also published its June 2026 **XR Security Bulletin**, disclosing a high-severity flaw, `CVE-2026-0072`, in `InputMethodManagerService`. The bug is caused by a missing permission check in `addInputMethodListener` and can allow **local elevation of privilege** without additional execution privileges or user interaction; Google said it could also permit input text to be read without permission. The XR issue is fixed with security patch level **2026-06-01** or later, while full XR protection requires the broader Android June 2026 patch level as well, underscoring the need for enterprises to accelerate deployment of both platform and device-vendor updates.
Jun 3, 2026
Google March Android Security Bulletin Patches 129 Flaws Including Actively Exploited Qualcomm Display Zero-Day
Google released the March 2026 *Android Security Bulletin*, issuing fixes for **129 vulnerabilities** across the Android ecosystem and shipping two patch levels (`2026-03-01` and `2026-03-05`) to help OEMs stage platform and hardware-specific updates. The most urgent issue is **CVE-2026-21385**, a **high-severity, actively exploited** zero-day in an open-source **Qualcomm display** component used in Android devices with affected Qualcomm/Snapdragon chipsets. Reporting indicates CVE-2026-21385 is a **memory-corruption** flaw caused by an **integer overflow/wraparound** condition that can lead to memory corruption during allocation/alignment in display drivers; successful exploitation could enable device compromise (e.g., arbitrary code execution and/or privilege escalation) and bypass security boundaries. Google and Qualcomm both acknowledged **limited, targeted exploitation in the wild**, and one account attributes discovery/confirmation of exploitation to Google’s **Threat Analysis Group (TAG)**; devices not updated to at least patch level `2026-03-05` remain exposed, making rapid patch deployment and user update compliance the primary risk-reduction actions.
Mar 21, 2026