Google Patches Android Wireless ADB Auth Bypass Enabling Zero-Click Shell Access
Google fixed CVE-2026-0073, a critical flaw in Android’s adbd component that allowed a nearby attacker to bypass wireless ADB authentication and execute code as the shell user with no user interaction. The bug affected Android 14, 15, 16, and 16-QPR2, and was traced to a logic error in adbd_tls_verify_cert that mishandled certificate key comparisons, letting a malicious client certificate impersonate a trusted ADB host. Researchers said exploitation could expose data, install apps, alter settings, and provide a path toward broader device compromise.
The vulnerability primarily exposed devices with Developer Options and wireless debugging enabled, where the attacker could reach ADB on TCP port 5555 and the device had at least one previously paired RSA host key. Google included the fix in the 2026-05-01 Android security patch level and also distributed remediation through the Project Mainline adbd module for supported devices, while stating it had no evidence of public exploitation or in-the-wild attacks. The issue was credited to Ovi (@0x0v1) of Barghest, and defenders were urged to apply updates, disable wireless ADB where unnecessary, revoke unknown debugging authorizations, and restrict network exposure to ADB services.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
7 events from the most recent confirmed update back to the earliest known activity.
PoC exploit for CVE-2026-0073 was released
A proof-of-concept exploit was released demonstrating how the adbd certificate-validation flaw could be abused to obtain remote shell access on vulnerable Android devices with wireless debugging enabled and prior paired RSA keys present.
Google security update for CVE-2026-0073 was reported publicly
Multiple reports said Google released fixes for CVE-2026-0073 in the May 2026 Android security update, including mitigation through the 2026-05-01 patch level and Project Mainline adbd updates. Google also said it was not aware of public exploits or in-the-wild abuse.
HKCERT issued an advisory on CVE-2026-0073
HKCERT issued an advisory highlighting CVE-2026-0073 as a remote code execution threat affecting Android's wireless ADB authentication path.
CVE record for CVE-2026-0073 was updated with CVSS details
The CVE entry for CVE-2026-0073 was updated to add a CVSS v3.1 vector and classify the weakness as CWE-303. The record referenced the Android Security Bulletin for 2026-05-01.
Google published the May 2026 Android Security Bulletin
Google published the Android Security Bulletin describing CVE-2026-0073 as a critical System-component flaw affecting Android 14, 15, 16, and 16-qpr2. The bulletin said devices with security patch level 2026-05-01 or later are protected and that AOSP patches would follow within 48 hours.
Barghest published technical analysis of CVE-2026-0073
Barghest disclosed technical details for CVE-2026-0073, describing a logic error in adbd_tls_verify_cert that lets attackers bypass wireless ADB authentication and gain shell access under specific conditions.
Google distributed a patch for CVE-2026-0073
Barghest reported that Google distributed a patch for the Android adbd TLS client-authentication bypass vulnerability CVE-2026-0073 on 2026-03-31.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
10 references tracked. Mallory keeps watching after this page renders.
PoC Exploit Released for Android Zero-Click Vulnerability that Enables Remote Shell Access
cybersecuritynews.com
Open sourceGoogle patches critical Android remote code execution flaw | brief | SC Media
scworld.com
Open sourceCritical Android vulnerability CVE-2026-0073 fixed by Google
securityaffairs.com
Open sourceCritical Android Zero-Click Vulnerability Grants Remote Shell Access
cybersecuritynews.com
Open sourceCritical CVE-2026-0073 - Android ADB Wireless Authentication Bypass RCE - TheCyberThrone
thecyberthrone.in
Open sourceCVE-2026-0073 - Qualcomm ADB TLS Certificate Bypass Vulnerability
cvefeed.io
Open sourceAndroid Security Bulletin-May 2026 | Android Open Source Project
source.android.com
Open sourceCVE-2026-0073 Android adbd TLS client-authentication bypass
barghest.asia
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Google Patches Android Zero-Interaction DoS and Zero-Click adbd RCE Flaws
Google issued Android security updates to fix multiple high-severity flaws, including **CVE-2026-0049**, a critical Android Framework vulnerability that can trigger a local denial-of-service with no user interaction and no elevated privileges, and **CVE-2026-0073**, a critical remote code execution bug in the Android System component tied to the Android Debug Bridge Daemon (`adbd`). The `adbd` flaw affects Android 14, 15, 16, and `16-qpr2`, and under proximal or adjacent network conditions could allow shell-level remote code execution on a target device without user action. The April bulletin also addressed **CVE-2025-48651**, a high-severity StrongBox issue affecting hardware-backed key storage implementations from Google, NXP, STMicroelectronics, and Thales, with fixes split between the `2026-04-01` and `2026-04-05` patch levels. Google said the `adbd` issue is remediated by the `2026-05-01` security patch level or later and noted that, because `adbd` is delivered through Project Mainline, mitigations can reach Android 10 and later devices faster through Google Play system updates; organizations were urged to accelerate deployment of the April and May patches across managed mobile fleets.
May 25, 2026
Google Patches Android Zero-Day and High-Severity XR Privilege Escalation Flaws
Google has issued its June 2026 Android security updates to fix **113 vulnerabilities**, including **18 critical** flaws and a zero-day tracked as `CVE-2025-48595` that the company said may be under limited, targeted exploitation. The zero-day affects the **Android Framework** and stems from an integer overflow memory-management issue that can enable code execution and potentially full device compromise. The update also addresses vulnerabilities in third-party components from **Qualcomm, MediaTek, and Unisoc**, and Google said devices running Android 10 or later can receive relevant fixes through Google Play services, with patch levels dated **2026-06-05** or later remediating the documented issues. Google also published its June 2026 **XR Security Bulletin**, disclosing a high-severity flaw, `CVE-2026-0072`, in `InputMethodManagerService`. The bug is caused by a missing permission check in `addInputMethodListener` and can allow **local elevation of privilege** without additional execution privileges or user interaction; Google said it could also permit input text to be read without permission. The XR issue is fixed with security patch level **2026-06-01** or later, while full XR protection requires the broader Android June 2026 patch level as well, underscoring the need for enterprises to accelerate deployment of both platform and device-vendor updates.
Jun 3, 2026
Critical Zero-Click RCE Vulnerability (CVE-2025-48593) in Android System Component
Google released a security update in November 2025 to address a critical remote code execution vulnerability, CVE-2025-48593, in the Android System component. This flaw allows attackers to execute code remotely on affected devices running Android versions 13 through 16 without requiring user interaction or additional execution privileges. The vulnerability stems from insufficient validation of user input, making it possible for exploitation via a zero-click attack vector. The update also addressed a separate privilege escalation issue, CVE-2025-48581, affecting Android 16, but the primary concern is the zero-click RCE, which requires immediate patching due to its severity. Google has stated that there is no evidence of active exploitation in the wild at the time of the update. Security experts urge all users and organizations to apply the November 2025 security patch promptly to mitigate the risk posed by this critical vulnerability.
Mar 21, 2026