Critical Android adbd TLS Bypass Enables Zero-Click Remote Shell Access
Google disclosed and patched CVE-2026-0073, a critical flaw in Android's adbd component that can let a nearby attacker bypass wireless ADB mutual authentication and gain code execution as the shell user with no user interaction. The bug is a logic error in adbd_tls_verify_cert in auth.cpp, where certificate key comparisons can incorrectly succeed, allowing an attacker to establish an authenticated ADB-over-TCP session without valid pairing credentials. Public reporting says exploitation is proximal or adjacent, typically requiring access to the same local network or physical proximity, and is most relevant when wireless debugging is enabled.
The issue affects Android 14, 15, 16, and 16-qpr2 and is addressed by the 2026-05-01 Android security patch level, with fixes also being distributed through AOSP and potentially Google Play system updates because adbd is part of Project Mainline. Google said Android partners were notified at least a month in advance, while national and regional advisories including dCERT and the Canadian Centre for Cyber Security urged organizations and users to apply updates. Security researchers also noted that devices with exposed ADB-over-TCP services, including those reachable on port 5555, may face additional risk if they hit the vulnerable authentication path.
Timeline
May 5, 2026
National CERTs issue advisories urging Android updates
On May 5, 2026, national cybersecurity bodies including Canada's Cyber Centre and Germany's dCERT published advisories about the Android vulnerability and urged users and administrators to apply the relevant security updates. Darkweb Informer also noted an HKCERT advisory issued the same day.
May 4, 2026
CVE record updated with CVSS and CWE classification
The CVE-2026-0073 record was updated to add a CVSS v3.1 vector of AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H and classify the issue as CWE-303. The update also referenced the Android Security Bulletin dated 2026-05-01.
May 4, 2026
Google publicly discloses CVE-2026-0073 in Android Security Bulletin
Google published the May 2026 Android Security Bulletin describing CVE-2026-0073 as a critical proximal or adjacent remote code execution flaw in adbd that could yield shell-user access without user interaction. Google said AOSP source patches would follow within 48 hours of publication.
May 1, 2026
Android May 2026 patch level fixes CVE-2026-0073
Google assigned the 2026-05-01 Android security patch level to address CVE-2026-0073, affecting Android 14, 15, 16, and 16-qpr2. The fix was also noted as available through Project Mainline/Google Play system updates for the adbd component.
Apr 1, 2026
Independent technical analysis details adbd TLS auth bypass
A public technical write-up described how a logic error in adbd_tls_verify_cert could let attackers bypass wireless ADB mutual authentication and gain shell access. The analysis explained exploitation conditions, including prior paired RSA keys and a crafted non-RSA client certificate.
Mar 31, 2026
Google distributes patch for CVE-2026-0073 to Android partners
Google distributed a fix for the adbd TLS client-authentication bypass vulnerability to Android partners on March 31, 2026. Multiple references indicate partners had been notified at least one month before the public bulletin.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Malware
Organizations
Sources
4 more from sources like cyberthrone, cvefeed high severity, android product advisories and barghest
Related Stories
Critical Zero-Click RCE Vulnerability (CVE-2025-48593) in Android System Component
Google released a security update in November 2025 to address a critical remote code execution vulnerability, CVE-2025-48593, in the Android System component. This flaw allows attackers to execute code remotely on affected devices running Android versions 13 through 16 without requiring user interaction or additional execution privileges. The vulnerability stems from insufficient validation of user input, making it possible for exploitation via a zero-click attack vector. The update also addressed a separate privilege escalation issue, CVE-2025-48581, affecting Android 16, but the primary concern is the zero-click RCE, which requires immediate patching due to its severity. Google has stated that there is no evidence of active exploitation in the wild at the time of the update. Security experts urge all users and organizations to apply the November 2025 security patch promptly to mitigate the risk posed by this critical vulnerability.
1 months ago
Hardware-Level Android Chip Vulnerabilities Enable Device Compromise
Security researchers and vendors reported **hardware/firmware-level vulnerabilities in Android chip components** that can enable deep device compromise beyond typical app-layer defenses. Ledger’s Donjon research described a flaw involving **MediaTek chip boot-chain behavior and Trustonic’s trusted execution environment (TEE)** that allowed rapid physical compromise: by connecting an affected phone to a laptop over **USB**, attackers could allegedly brute-force the PIN, decrypt storage, and extract sensitive data including messages and **cryptocurrency wallet seed phrases** (e.g., Kraken Wallet, Phantom). The researchers estimated the affected MediaTek chips appear in roughly **one-quarter of Android phones**, disproportionately in lower-cost devices. Separately, Zimperium reported active exploitation of a **Qualcomm graphics zero-day** (**CVE-2026-21385**) in targeted Android attacks, describing a memory-corruption condition that could enable code execution or unauthorized access across “hundreds” of Qualcomm chipsets. A ZDNET article on Android’s *Repair Mode* primarily provides user guidance and anecdotal troubleshooting around a buggy March update/SIM recognition issue; it does not substantively address the chip-level vulnerabilities described in the other reporting and is best treated as tangential consumer advice rather than incident or vulnerability intelligence.
1 months ago
Google March Android Security Bulletin Patches 129 Flaws Including Actively Exploited Qualcomm Display Zero-Day
Google released the March 2026 *Android Security Bulletin*, issuing fixes for **129 vulnerabilities** across the Android ecosystem and shipping two patch levels (`2026-03-01` and `2026-03-05`) to help OEMs stage platform and hardware-specific updates. The most urgent issue is **CVE-2026-21385**, a **high-severity, actively exploited** zero-day in an open-source **Qualcomm display** component used in Android devices with affected Qualcomm/Snapdragon chipsets. Reporting indicates CVE-2026-21385 is a **memory-corruption** flaw caused by an **integer overflow/wraparound** condition that can lead to memory corruption during allocation/alignment in display drivers; successful exploitation could enable device compromise (e.g., arbitrary code execution and/or privilege escalation) and bypass security boundaries. Google and Qualcomm both acknowledged **limited, targeted exploitation in the wild**, and one account attributes discovery/confirmation of exploitation to Google’s **Threat Analysis Group (TAG)**; devices not updated to at least patch level `2026-03-05` remain exposed, making rapid patch deployment and user update compliance the primary risk-reduction actions.
1 months ago