AirDrop and Quick Share Flaws Let Nearby Attackers Trigger Crashes and Bypass Checks
Flaws in Apple's AirDrop and Google's Quick Share allow nearby attackers to crash services and bypass security checks.
Summary
Researchers have identified six security flaws in Apple's AirDrop and Google's Quick Share, affecting billions of devices. These vulnerabilities allow nearby attackers to crash the sharing services on Macs and iPhones, and bypass security checks in Samsung's Quick Share implementation and Google's Windows app. While no exploits have been publicly reported, Apple has patched one flaw, and Google has fixed a memory bug in its Windows app.
Full text
AirDrop and Quick Share Flaws Let Nearby Attackers Trigger Crashes and Bypass Checks Swati KhandelwalJun 30, 2026Vulnerability / Wireless Security Two researchers have found six security flaws in AirDrop and Quick Share, the wireless features that beam files between nearby devices with no cables or shared network. An attacker within wireless range, with just a laptop and no prior connection, can crash the sharing service on a Mac or iPhone set to receive from anyone, with no tap or prompt. The same research found Quick Share flaws that bypass Samsung's session checks and trigger a potentially exploitable crash in Google's Windows app. The two features run inside an ecosystem of more than five billion active Apple and Android devices, though the tested bugs hit specific implementations and versions. The work, laid out in a new research paper by Arash Ale Ebrahim and Nils Ole Tippenhauer of the CISPA Helmholtz Center for Information Security, is the first to pull both stacks apart side by side, above the radio layer, where discovery becomes session handling, parsing, and trust decisions. The fixes have already started. Apple has patched one of the three AirDrop bugs and assigned it a CVE, though the advisory is not yet public; the other two are still in coordinated disclosure. Google paid a bounty for the Windows flaw and has landed a code fix, with its CVE still pending. Samsung's two bugs were handed to Google and remain under investigation. No public reports of these flaws being exploited have surfaced as of this writing. Three ways to knock out Apple's sharing All three AirDrop flaws end in the same crash: they take down sharingd, the background service on macOS and iOS that handles AirDrop. The catch is that this service also runs AirPlay, Handoff, Universal Clipboard, Continuity Camera, and NameDrop, so one crash takes the whole set down together. The simplest of the three needs only a single malformed request sent to a device with AirDrop set to receive from "Everyone." Send those crash messages on a loop, about one every two seconds, and the features stay down for as long as the attacker keeps going. In the researchers' test, no legitimate AirDrop transfer got through while the attack ran. Two of the three are more than AirDrop bugs, because they live in shared Apple frameworks. The broadest is a stack overflow in Foundation's XML property list parser, triggered by a small file with around 200 nested layers. Any Apple app that opens an untrusted file of that type could hit the same parser path, across macOS, iOS, watchOS, tvOS, and visionOS. The researchers reproduced the AirDrop crashes on macOS 15.7.4, macOS 26.3, iOS 18.x, and iOS 26.3; an older iOS 16 build was not affected. The Quick Share bugs, and a fix that broke On Android, two flaws in Samsung's Quick Share let an attacker skip past the handshake that is supposed to lock down a session. One lets an unverified device start driving the connection before any encryption is set up. The other lets some control messages pass unencrypted even after a secure session exists. An attacker on the same Wi-Fi network could use that gap to force a connection into an "accepted" state, keep it alive, or make the server return attacker-supplied IP and port values. Neither was shown to steal files, but both defeat the protections the system promises. The researchers tested these on a Galaxy S23 Ultra and noted that other Android makers' versions of Quick Share need separate checking. The most serious flaw is in Google's Quick Share for Windows. It is a memory bug that surfaces when two connections collide at the right instant, leaving the program using a chunk of memory it has already thrown away. That is the kind of bug that can sometimes be turned into running attacker code, and the researchers say the path is plausible here because a Windows defense called Control Flow Guard is switched off in the app. They confirmed a crash but did not build a working exploit. Google acknowledged it, paid a bounty, and has now landed a fix; the CVE is still pending. It is not the first time Quick Share for Windows has been here. SafeBreach reported a 10-bug code-execution chain in 2024 (CVE-2024-38271 and CVE-2024-38272), then returned in 2025 to bypass Google's fixes (CVE-2024-10668). The new use-after-free adds another entry to a pattern of the same component being patched and probed again. The detail that stings: the program's own source code carried a comment admitting a prior bug in that exact spot, reading "We had a bug here, caused by a race with EncryptionRunner." The fix written to handle it reintroduced the same kind of flaw. The risk is local, not remote The key limit is range. These are local attacks, not internet-wide ones: the attacker has to be within about 10 to 30 meters or on the same local network. While less sweeping than a remote bug, a single attacker in a crowded place like an airport, train, or conference can still reach many devices at once. The researchers tested only their own hardware and have released their tools openly so other security teams can reproduce the findings. On a Mac or iPhone, install Apple's latest update (iOS and macOS 26.5.2 shipped June 29) and keep AirDrop on "Contacts Only" or off rather than "Everyone," which is the setting these flaws need. On Quick Share, leave it out of "Everyone" visibility when you are not actively receiving a file, and update the Windows app now that Google's fix has landed. Two independently built systems failed the same way: crashes in code that faces the network, and security checks bolted onto individual message handlers instead of being enforced up front. It also lands at an awkward moment. Google's AirDrop interoperability for Quick Share is already rolling out across flagship Android phones, and it only works when the iPhone is set to receive from "Everyone," the exact setting that exposes the AirDrop crash bugs. Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE Tweet Share Share Share SHARE Airdrop, Android, Apple, Google, iOS, MacOS, Quick Share, Samsung, Vulnerability, Wireless Security ⚡ Top Stories This Week Chrome Ad Blocker with 10M+ Installs Found with Dormant Script Injection Capability New Gaslight macOS Malware Uses Prompt Injection to Disrupt AI-Assisted Analysis Cisco Catalyst SD-WAN Zero-Day CVE-2026-20245 Exploited to Gain Root Access Google Sets Sept. 30 Deadline for Android Developer Verification in Four Countries Amadey and StealC Malware Network Disrupted, 27M Stolen Credentials Recovered FortiBleed Targeted FortiGate Firewalls in 110 Million-Credential Harvesting Operation Fake AI Agent Skill Passed Security Scans and Reportedly Reached 26,000 Agents WhatsApp VBScript Campaign Uses Fake Documents to Install ManageEngine RMM Tool 29-Year-Old Squid Proxy Bug 'Squidbleed' Can Leak Cleartext HTTP Requests ⚡ Weekly Recap: Browser Bugs, EDR Killers, TV Botnet, OpenBSD Flaw, Android Trojan, and More Unpatchable 'usbliter8' Exploit Breaks Apple A12 and A13 SecureROM Boot Chain The Gentlemen RaaS Uses GentleKiller EDR Framework Targeting 400 Security Processes AutoJack Attack Lets One Web Page Hijack AI Agent for Host Code Execution CISA Warns Fortinet Customers as FortiBleed Hits 86,644 FortiGate Devices F5 Patches Two Critical NGINX Open Source Flaws Enabling Remote Code Execution Salesforce Disables Klue App Integration After OAuth Token Abuse Exposes Customer Data ⭐ Featured Resources Get the 2026 Guide to Govern and Secure Enterprise AI Agents at Scale [Watch Demo] See Which Security Gaps Attackers Could Exploit First AI Can’t Stop Every Attack. Learn How Zero Trust Can Block What’s Unknown Have You Outgrown Your MDR? 7 Warning Signs Every CISO Should Check