CVE-2026-0073: Zero-Click RCE Flaw in Android's Wireless ADB Bypasses Authentication

Summary

Google patched CVE-2026-0073, a critical authentication bypass vulnerability in Android's adbd (Android Debug Bridge daemon) affecting Android 14–16. The flaw allows unauthenticated attackers on the same network to establish a fully authenticated ADB session and execute arbitrary code as the shell user without any user interaction. The vulnerability stems from a logic error in the adbd_tls_verify_cert function, breaking the mutual TLS authentication mechanism that normally restricts access to previously paired devices.

Full text

⚠ Critical — Zero-Click RCE CVE CVE-2026-0073 Type Authentication Bypass Vector Adjacent Network Vulnerability Overview Google has published the May 2026 Android Security Bulletin, addressing a critical remote code execution vulnerability in the Android System component. Tracked as CVE-2026-0073, the flaw resides in the Android Debug Bridge daemon (adbd) and allows an attacker within wireless proximity to gain remote shell access to a target device — without requiring a single tap, download, or click from the device owner. The vulnerability is classified as zero-click, meaning no user interaction is needed for exploitation. An attacker on the same local network or within physical proximity of the target device can silently trigger the exploit to execute arbitrary code as the "shell" user, bypassing normal application sandboxes. The severity assessment for this flaw is critical. The root cause lies in a logic error within the adbd_tls_verify_cert function in auth.cpp, which handles mutual TLS authentication for wireless ADB connections. The flaw allows an attacker to bypass the wireless ADB mutual authentication mechanism entirely, establishing an authenticated debugging session without possessing valid credentials or being paired with the device. CVE ID CVE-2026-0073 Severity Critical Vulnerability Type Authentication Bypass (Logic Error) Affected Component System — adbd (Project Mainline) Attack Vector Adjacent Network (Proximal) User Interaction None — Zero-Click Privileges Required None Impact Remote Code Execution (shell) Vendor Google Product Android Published May 4, 2026 Patch Level 2026-05-01 Technical Details CVE-2026-0073 is an authentication bypass vulnerability in the adbd_tls_verify_cert function of Android's auth.cpp. This function is responsible for verifying the TLS certificate presented by a connecting host during the wireless ADB pairing and connection flow introduced in Android 11. A logic error in the certificate verification code allows an attacker to bypass the mutual authentication mechanism that is supposed to ensure only previously paired hosts can establish a debugging session. When wireless debugging is enabled on an Android device, the adbd process listens on a randomly assigned TCP port and advertises its presence via mDNS. Legitimate connections require TLS mutual authentication — the connecting host must present a certificate that matches a key previously stored during pairing. The flaw in adbd_tls_verify_cert breaks this trust model, allowing an unauthenticated attacker who can reach the device over the network to establish a fully authenticated ADB session. Because ADB provides a Unix shell with access to file systems, package management, process control, and debugging interfaces, successful exploitation grants the attacker broad capabilities on the device. The "shell" user context allows executing commands, installing and removing applications, reading application data from debuggable apps, capturing screen content, and interacting with device services. Zero-Click Exploitation This vulnerability requires no user interaction whatsoever. An attacker on the same Wi-Fi network or within adjacent network range can discover vulnerable devices via mDNS service advertisements and exploit the authentication bypass silently. The attack does not require the victim to click a link, install an app, or approve any prompt. Devices with wireless debugging enabled are immediately vulnerable. Affected Versions The vulnerability affects all Android devices running versions 14, 15, 16, and 16-qpr2 that have not been updated to the May 2026 security patch level. Because the affected adbd component is part of Project Mainline, Google can push targeted fixes directly through Google Play system updates, bypassing traditional carrier and OEM update timelines. Android Version Status Patch Level Android 14 Affected 2026-05-01 Android 15 Affected 2026-05-01 Android 16 Affected 2026-05-01 Android 16-qpr2 Affected 2026-05-01 Android 14 Android 15 Android 16 Android 16-qpr2 Patched: 2026-05-01 Recommendations Update to the May 2026 security patch immediately. Navigate to Settings → Security & privacy → System & updates to verify your device is running security patch level 2026-05-01 or later. Apply any pending updates and restart the device. Check for Google Play system updates. Devices running Android 10 or later may receive the fix through Google Play system updates. Navigate to Settings → Security & privacy → System & updates → Google Play system update to check. Disable wireless debugging when not in use. Navigate to Settings → Developer options → Wireless debugging and toggle it off. This eliminates the network-exposed attack surface entirely until the patch is applied. Restrict network exposure. Avoid connecting to untrusted or public Wi-Fi networks until the device is patched. The attack requires adjacent network access, so limiting network exposure reduces risk. Enterprise administrators should prioritize MDM-pushed updates. Organizations managing Android fleets should push the May 2026 security update across managed devices immediately and consider disabling wireless debugging via device management policies. Context CVE-2026-0073 is the most critical vulnerability addressed in Google's May 2026 Android Security Bulletin. The zero-click, zero-privilege nature of the attack makes it particularly dangerous in environments where multiple devices share a common network — corporate offices, hotels, airports, and university campuses are all scenarios where adjacent network access is trivially obtained. The Hong Kong Computer Emergency Response Team (HKCERT) issued a dedicated advisory for CVE-2026-0073 on May 5, 2026, classifying it as a remote code execution threat. Android's built-in protections — including application sandboxing, Google Play Protect, and platform hardening in newer versions — help limit the blast radius of exploitation, but do not prevent the initial compromise. Source code patches will be released to the Android Open Source Project (AOSP) repository within 48 hours of the bulletin's publication. References Google — Android Security Bulletin, May 2026 NVD — CVE-2026-0073 HKCERT — Android Remote Code Execution Vulnerability Cyber Security News — Critical Android Zero-Click Vulnerability Grants Remote Shell Access GBHackers — Critical Android Zero-Click Vulnerability Enables Remote Shell Access

Indicators of Compromise

• cve — CVE-2026-0073

Entities