Android CVE-2026-0073: Zero-Click RCE Threatens 3.9 Billion Devices — Patch Now

**CVE-2026-0073** targets the adbd service, which implements the Android Debug Bridge — the protocol Android uses for both USB and wireless debugging connections. The wireless variant of ADB establishes sessions over TCP port 5555 using TLS mutual authentication, requiring both parties to present valid certificates before any command exchange begins.

The vulnerability is a logic error in adbd_tls_verify_cert within auth.cpp. This function is responsible for verifying that the connecting party holds a certificate trusted by the device. The logic error allows an attacker to craft a TLS handshake that passes the verification check despite the absence of a legitimate trusted certificate. The flawed branch in the verification path returns success when it should reject the connection, granting the attacker a fully authenticated wireless ADB session.

Once an unauthorized ADB session is established, the attacker operates as the shell user — the highest non-root access level available through ADB. The shell user can read files across accessible directories, execute any command available to the shell, install arbitrary APKs without user prompts, and manipulate system state. On Android devices where USB debugging was ever enabled, or where wireless debugging is active for enterprise management purposes, the attack surface is immediately accessible to any adversary on the same local network.

The attack is classified as proximal/adjacent rather than fully remote because the attacker must reach TCP port 5555 on the target device. In practice, shared corporate WiFi, hotel networks, conference networks, and public hotspots all qualify as adjacent. This limitation does not provide meaningful protection in enterprise environments where Android devices regularly connect to shared infrastructure.

For broader context on how zero-click vulnerabilities are being chained with browser exploits in 2026 campaigns, see the [Chrome CVE-2026-5281 WebGPU zero-day breakdown](/blog/chrome-zero-day-cve-2026-5281).

Every Android device running Android 14, Android 15, Android 16, or Android 16-QPR2 is vulnerable to CVE-2026-0073 until patched. Android holds 72.77% of global mobile OS market share with 3.9 billion active devices, making this the broadest zero-click mobile RCE disclosed in 2026.

Enterprise organizations carry concentrated exposure. Corporate Android fleets enrolled in mobile device management platforms typically run modern Android versions — precisely the versions listed in the May 2026 bulletin. BYOD programs that allow personal Android devices on corporate networks extend the attack surface beyond managed devices to include personal phones and tablets that may lag weeks or months behind on security patches due to carrier and OEM update delays.

Android devices in kiosk mode — point-of-sale terminals, customer-facing tablets, digital signage controllers, and field service devices — represent a particularly high-risk subset. These devices often run permanently on fixed corporate networks with fixed IP addresses, making them predictable targets. Kiosk configurations frequently leave diagnostic services enabled to support remote management, and many organizations do not prioritize rapid patching of kiosk devices.

The Google Project Mainline delivery mechanism substantially reduces the patching timeline for devices running Android 10 or later. Rather than requiring a full OS update — which must pass through carrier testing and OEM customization pipelines — Google pushes the adbd fix directly through the Google Play system update path. Devices check for and apply Project Mainline updates automatically when connected to a network, often within 48 hours of availability.

Organizations with MDM platforms (Microsoft Intune, Jamf, VMware Workspace ONE) should query compliance dashboards immediately for any device reporting a security patch level earlier than 2026-05-01 and trigger a forced update push to all enrolled devices.

Zero-click vulnerabilities eliminate the human element from the attack chain entirely. Traditional mobile security programs rely on user awareness training as a core defense layer: teach employees to recognize phishing links, reject suspicious app installs, and report unusual device behavior. CVE-2026-0073 removes all of those controls from the equation. The employee does nothing wrong. There is no malicious email, no suspicious link, no social engineering. An attacker within wireless range simply sends a crafted ADB connection and receives shell access.

Shell-level access on Android is not equivalent to root, but it exceeds what the Android application sandbox was designed to contain. An attacker with shell access can read application data directories for apps that store files world-readable by the shell user, extract stored credentials from accessible locations, enumerate installed applications and their versions to identify further exploitation paths, modify system-level configuration accessible to the shell, and install applications silently without triggering user prompts.

On enterprise-enrolled devices, the exposure extends to MDM-managed resources. Configuration profiles, corporate email certificates, VPN credentials, and enterprise application data may all be accessible from the shell user context. A compromised corporate Android device on a segmented enterprise network can serve as a lateral movement staging point toward internal systems that trust mobile device connections.

The adjacent network access requirement creates a specific threat scenario: an attacker sitting in the same conference room, hotel lobby, coffee shop, or co-working space as a target employee can exploit CVE-2026-0073 without any interaction. Executive travel, industry conferences, and remote work environments all place high-value Android devices in environments with untrusted adjacent network access routinely.

For a parallel case study on how threat actors exploit authentication weaknesses in adjacent-access enterprise services to achieve deep network compromise, see the [Cisco SD-WAN CVE-2026-20133 credential chain attack analysis](/blog/cisco-sdwan-cve-2026-20133-credential-chain-attack).

CVE-2026-0073 is the most significant Android vulnerability disclosed in 2026 in terms of raw device exposure, but it follows a pattern of escalating mobile attack surface exploitation this year.

In March 2026, Google confirmed active in-the-wild exploitation of CVE-2026-21385, a zero-day in a Qualcomm component affecting Android devices equipped with Qualcomm SoCs. That vulnerability was exploited in targeted attacks before a patch was available, demonstrating that Android device vulnerabilities do attract rapid exploitation. The CVSS score for CVE-2026-21385 was 7.8 — lower than the 8.8 applicable to CVE-2026-0073's attack characteristics — yet it was weaponized in active campaigns within the same month of disclosure.

The April 2026 Android Security Bulletin patched 62 vulnerabilities across Framework, System, Kernel, and GPU components. The May 2026 bulletin follows that volume with CVE-2026-0073 as the headline critical item. The frequency of critical-severity Android patches in 2026 reflects the sustained attention that researchers and threat actors alike are directing at the mobile OS attack surface.

Enterprise Android device fleets average a 47-day lag between patch release and full deployment according to MDM telemetry reports from Q1 2026. That lag creates a window during which millions of corporate Android devices remain vulnerable to known, disclosed flaws. CVE-2026-0073's zero-click nature means the lag window is not a tolerable operational trade-off — it is an active liability on every corporate network where unpatched Android devices are present.

The Google Play system update mechanism for Project Mainline components narrows this window to as little as 48 hours for many devices, but only if the device is connected to a network and the update is not blocked by enterprise MDM policy. Organizations that have configured MDM policies to delay system updates for compatibility testing should review whether CVE-2026-0073 warrants an emergency exception today.

Detection for CVE-2026-0073 exploitation focuses on anomalous wireless ADB traffic and device behavior rather than file-system indicators, since the attack leaves minimal on-device forensic artifacts in its initial phase.

**Network-level detection:** Wireless ADB operates on TCP port 5555 by default. Any inbound connection to port 5555 on a corporate Android device from a source other than a known, authorized management server is an exploitation indicator. Implement a firewall rule or NGFW signature alerting on inbound TCP 5555 connections to Android device IP ranges on your network. SIEM queries that flag port 5555 connections from unexpected internal sources should trigger immediate device investigation.

**MDM compliance monitoring:** Enterprise MDM platforms report device security patch levels in near real-time. Query your MDM dashboard for all enrolled Android devices with a patch level earlier than 2026-05-01. Any device not yet patched should be considered at risk. Trigger a remote wipe or network quarantine for devices that cannot be patched within your organization's defined SLA.

**Wireless ADB service status:** IT administrators can use MDM policy enforcement to disable wireless debugging across all enrolled Android devices. ADB over TCP is disabled by default on standard Android builds but may be enabled on developer devices, kiosk configurations, or devices enrolled in certain enterprise management profiles. Audit all enrolled devices for wireless debugging status and disable it where not operationally required.

**Behavioral indicators post-exploitation:** If CVE-2026-0073 is exploited, subsequent attacker activity via the shell user may generate detectable signals: unexpected APK installations not triggered by the device owner, connections to unknown external IP addresses, unusual battery drain from active shell sessions, or MDM policy modification attempts. Configure your MDM platform to alert on unapproved application installs and unexpected configuration changes.

The May 2026 Android Security Bulletin patch is available now via Google Play system updates for all devices running Android 10 or later. Applying it today closes the CVE-2026-0073 attack surface completely. These steps cover both individual device patching and enterprise fleet deployment.

Android CVE-2026-0073 zero-click RCE gives any attacker on your corporate network a path to shell-level access on every unpatched Android 14, 15, or 16 device — no user interaction required, no warning, no visible indicator on the target device. With 3.9 billion Android devices worldwide at risk and a 47-day average enterprise patch lag, the window between Google's May 1 bulletin and widespread exploitation is measured in days, not weeks. Apply the Google Play system update now, push a mandatory MDM compliance policy requiring patch level 2026-05-01, disable wireless debugging on all devices where it is not required, and block inbound TCP port 5555 at your firewall before you leave today.