Google fixes Android zero-click flaw that could give nearby attackers shell access

Google has fixed a serious Android security flaw that could let a nearby attacker run code as the shell user without any tap, download, or approval from the device owner. The vulnerability is tracked as CVE-2026-0073 and appears in the May 2026 Android Security Bulletin.

The bug affects Android’s System component, specifically the adbd subcomponent used by Android Debug Bridge. Google rated the issue critical because successful exploitation could lead to remote code execution from a proximal or adjacent position, such as the same network.

Users should install the May 1, 2026 Android security patch level or later as soon as it becomes available for their device. Pixel users should check for the latest system update, while Samsung, OnePlus, Xiaomi, Motorola, and other Android users may need to wait for their manufacturer or carrier rollout.

What CVE-2026-0073 actually does

CVE-2026-0073 comes from a logic error in the way Android verifies certificates for wireless ADB authentication. ADB normally helps developers connect to Android devices, run commands, install apps, and debug software.

The vulnerable function is called adbd_tls_verify_cert, and it sits inside auth.cpp. Because of the logic error, an attacker on an adjacent network could bypass wireless ADB mutual authentication and gain code execution as the Android shell user.

This does not mean every Android phone can be taken over from anywhere on the internet. The attack requires a nearby or same-network position, but the lack of user interaction makes it dangerous for exposed or misconfigured devices.

At a glance

Detail	Information
CVE ID	CVE-2026-0073
Component	Android System
Subcomponent	adbd
Bug type	Remote code execution
Google severity	Critical
External CVSS score	8.8 High from CISA-ADP
User interaction needed	No
Privileges needed	No additional execution privileges
Fixed patch level	2026-05-01 or later

Why wireless ADB makes this sensitive

Android Debug Bridge gives deep control over a device during development. It can open a shell, push files, install apps, collect logs, and help developers test system behavior.

Wireless ADB extends that access over a local network instead of a USB cable. That convenience becomes risky when authentication fails, because the connection path no longer depends on physical access to the phone.

In this case, the flaw could let a nearby attacker reach the shell user level. That level does not equal full root access, but it still gives much more power than a normal Android app would have inside its sandbox.

Affected Android versions

Android version	Risk status	Required fix
Android 14	Affected before the May 2026 patch	Install 2026-05-01 security patch level or later
Android 15	Affected before the May 2026 patch	Install 2026-05-01 security patch level or later
Android 16	Affected before the May 2026 patch	Install 2026-05-01 security patch level or later
Android 16 QPR2	Affected before the May 2026 patch	Install 2026-05-01 security patch level or later

How serious is the risk?

Google says exploitation does not require user interaction. That makes the vulnerability more serious than attacks that depend on tricking users into opening a file, clicking a link, or installing an app.

The attack path still has limits. The attacker needs adjacent access, which usually means the same local network or another nearby route. That narrows the threat compared with an internet-wide remote exploit.

The highest-risk environments include shared networks, development labs, enterprise test fleets, kiosks, unmanaged Android devices, and phones where wireless debugging has been enabled and forgotten.

What users should do now

• Open Settings on your Android device.
• Go to System and check for a software update.
• Install the latest Android security update when it appears.
• Open About phone and check the Android security update date.
• Make sure the security patch level shows May 1, 2026 or later.
• Check the Google Play system update date as well.
• Turn off Developer options if you do not use them.
• Disable Wireless debugging if you previously enabled it.

What IT teams should check

Companies should treat this as a priority patching issue, especially if they manage Android devices used by developers, field workers, testers, or kiosk deployments. Devices that expose ADB services deserve special attention.

Security teams should inventory Android 14, Android 15, Android 16, and Android 16 QPR2 devices, then confirm whether they received the 2026-05-01 patch level. Teams should also review Wi-Fi networks where Android devices share access with untrusted or guest systems.

Administrators should disable wireless debugging through policy where possible and prevent users from enabling developer settings on managed devices. This reduces exposure even before every manufacturer completes its update rollout.

Why patch timing may vary

Google published the May 2026 Android Security Bulletin on May 4, 2026. The company says Android partners receive notice of bulletin issues at least one month before publication, giving manufacturers time to prepare updates.

Pixel devices usually receive Android security updates quickly, but other Android phones depend on the device maker and carrier. Some patches may also arrive through Google Play system updates on Android 10 and later devices.

The safest move is to check both places: the normal Android system update screen and the Google Play system update screen. Restart the device after installation so the patch becomes active.

FAQ