Critical Zero-Click Android Vulnerability Exposes Devices to Remote Exploitation
Google’s May 2026 Android Security Bulletin has disclosed a severe zero-click vulnerability (CVE-2026-0073) in the Android System’s adbd daemon, allowing threat actors to gain full remote shell access without user interaction. Discovered by security researchers at BARGHEST, the flaw stems from a cryptographic logic error in the adbd_tls_verify_cert function, which improperly validates client certificates during the TLS handshake.
The vulnerability exploits a mismatch in public key comparison logic. When an attacker presents a non-RSA certificate (e.g., EC P-256 or Ed25519), the EVP_PKEY_cmp API returns a non-zero value, which the daemon incorrectly interprets as a successful validation. This bypasses mutual TLS authentication, enabling attackers to establish an encrypted ADB connection and execute commands with shell user privileges.
Successful exploitation requires specific conditions: the target device must have Developer Options enabled, Wireless Debugging exposed on the network, and at least one previously paired RSA host key in its trust store. Attackers must also have adjacent network access to the device’s ADB port (TCP 5555). Once exploited, the flaw allows unauthorized data extraction, silent malware installation, and system manipulation bypassing Android’s sandbox protections.
The vulnerability affects Android 14, 15, and 16 devices under the outlined conditions. Google has released a security patch in the May 2026 update to address the issue. Prior to patching, mitigation measures include disabling Wireless Debugging on untrusted networks and revoking unknown host authorizations. Disabling Developer Options when not in use further reduces exposure to automated exploitation attempts.
Source: https://cybersecuritynews.com/poc-exploit-android-zero-click-vulnerability/
Google TPRM report: https://www.rankiteo.com/company/google
"id": "goo1778574244",
"linkid": "google",
"type": "Vulnerability",
"date": "5/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Android users (versions 14, 15, '
'16) with vulnerable '
'configurations',
'industry': 'Technology/Software',
'location': 'Global',
'name': 'Google (Android)',
'size': 'Large',
'type': 'Technology Company'}],
'attack_vector': 'Remote Exploitation (Zero-Click)',
'customer_advisories': 'Android users urged to update devices and disable '
'vulnerable configurations',
'data_breach': {'data_encryption': 'Bypassed via improper TLS validation',
'data_exfiltration': 'Possible',
'personally_identifiable_information': 'Possible',
'sensitivity_of_data': 'High (if personally identifiable '
'information or system data is '
'extracted)',
'type_of_data_compromised': 'Potentially sensitive user data, '
'system files'},
'date_publicly_disclosed': '2026-05',
'date_resolved': '2026-05',
'description': 'Google’s May 2026 Android Security Bulletin disclosed a '
'severe zero-click vulnerability (CVE-2026-0073) in the '
'Android System’s *adbd* daemon, allowing threat actors to '
'gain full remote shell access without user interaction. The '
'flaw stems from a cryptographic logic error in the '
'*adbd_tls_verify_cert* function, which improperly validates '
'client certificates during the TLS handshake. Successful '
'exploitation enables attackers to establish an encrypted ADB '
'connection and execute commands with *shell* user privileges, '
'bypassing Android’s sandbox protections.',
'impact': {'data_compromised': 'Unauthorized data extraction, silent malware '
'installation, system manipulation',
'identity_theft_risk': 'High (if personally identifiable '
'information is extracted)',
'operational_impact': 'Full remote shell access, bypass of Android '
'sandbox protections',
'systems_affected': 'Android devices (versions 14, 15, 16) with '
'Developer Options enabled, Wireless Debugging '
'exposed, and pre-paired RSA host keys'},
'investigation_status': 'Resolved (patched)',
'lessons_learned': 'Improper cryptographic validation in security-critical '
'components can lead to severe zero-click vulnerabilities. '
'Regular audits of authentication mechanisms are '
'essential.',
'post_incident_analysis': {'corrective_actions': 'Security patch released to '
'fix the validation logic in '
'the *adbd* daemon',
'root_causes': 'Cryptographic logic error in '
'*adbd_tls_verify_cert* function '
'leading to improper client '
'certificate validation'},
'recommendations': ['Apply the May 2026 Android security patch immediately',
'Disable Wireless Debugging on untrusted networks',
'Revoke unknown or unused ADB host authorizations',
'Disable Developer Options when not in use',
'Monitor for unusual ADB connection attempts'],
'references': [{'source': 'Google Android Security Bulletin (May 2026)'},
{'source': 'BARGHEST Security Research'}],
'response': {'communication_strategy': 'Android Security Bulletin (May 2026)',
'containment_measures': 'Security patch released in May 2026 '
'update',
'remediation_measures': 'Disable Wireless Debugging on untrusted '
'networks, revoke unknown host '
'authorizations, disable Developer '
'Options when not in use',
'third_party_assistance': 'BARGHEST (security researchers)'},
'stakeholder_advisories': 'Android device manufacturers and users advised to '
'apply security updates and follow mitigation '
'measures',
'title': 'Critical Zero-Click Android Vulnerability Exposes Devices to Remote '
'Exploitation',
'type': 'Vulnerability Exploitation',
'vulnerability_exploited': 'CVE-2026-0073'}