CVE-2026-0073 Overview
CVE-2026-0073 is an authentication bypass vulnerability in the Android Debug Bridge daemon (adbd). The flaw resides in the adbd_tls_verify_cert function within auth.cpp and stems from a logic error in the wireless ADB mutual authentication routine. An attacker on an adjacent network can bypass certificate verification and execute code as the shell user without user interaction. The issue affects Google Android versions 14, 15, and 16, including several Android 16 QPR2 beta releases. Google addressed the flaw in the May 2026 Android Security Bulletin.
Critical Impact
Adjacent attackers can bypass wireless ADB mutual TLS authentication and gain remote code execution as the Android shell user with no user interaction required.
Affected Products
- Google Android 14.0
- Google Android 15.0
- Google Android 16.0 (including QPR2 Beta 1, Beta 2, and Beta 3)
Discovery Timeline
- 2026-05-04 - CVE-2026-0073 published to the National Vulnerability Database (NVD)
- 2026-05-01 - Google releases fix in the Android Security Bulletin
- 2026-05-05 - Last updated in NVD database
Technical Details for CVE-2026-0073
Vulnerability Analysis
The vulnerability is classified under [CWE-303] (Incorrect Implementation of Authentication Algorithm). It affects adbd_tls_verify_cert, the routine responsible for validating peer certificates during the wireless ADB TLS handshake. Wireless ADB pairs a host with a device using mutual TLS, where both endpoints prove possession of trusted keys. A logic error in this verification path allows an unpaired peer to complete the handshake without satisfying the expected trust check.
Once the bypass succeeds, the attacker obtains an authenticated ADB session and can issue shell commands, install packages, read application data accessible to the shell user, and pivot further into the device. The shell user has broad debugging privileges on Android, including access to pm, am, dumpsys, and the ability to write to world-readable locations.
Root Cause
The root cause is a logic error in the certificate verification flow inside adbd_tls_verify_cert (system/core/adb/daemon/auth.cpp). The function fails to correctly enforce that the presenting peer holds a key already paired with the device, allowing certificate validation to return success under conditions where it should fail.
Attack Vector
Exploitation requires adjacent network access — typically the same Wi-Fi network as the target device — with wireless ADB enabled. The attacker connects to the device's wireless ADB listener and initiates a TLS handshake. Because adbd_tls_verify_cert returns a positive verification result without proper trust enforcement, the attacker proceeds directly to an authenticated ADB session. No user interaction or prior pairing is required.
No public proof-of-concept code is available. Technical details are limited to the description in the Android Security Bulletin May 2026.
Detection Methods for CVE-2026-0073
Indicators of Compromise
- Unexpected ADB sessions originating from unknown hosts on the local network when wireless debugging is enabled.
- New or unrecognized entries in the device's paired ADB key store (/data/misc/adb/adb_keys).
- Shell-level activity on devices that should not be in developer mode, including invocations of pm install, am start, or settings put.
Detection Strategies
- Monitor enterprise Wi-Fi networks for TCP connections to the wireless ADB port range (typically 30000–49999) on managed Android devices.
- Use mobile device management (MDM) policies to alert on devices where Developer Options or Wireless Debugging is enabled outside an approved engineering scope.
- Inspect device logcat records for adbd authentication events and connections from unexpected source addresses.
Monitoring Recommendations
- Track Android patch level across the fleet and flag devices not on the May 2026 security patch level or later.
- Alert on lateral movement patterns where an authenticated host issues adb shell commands such as pm, dumpsys, or screencap against multiple devices.
- Correlate Wi-Fi association logs with ADB connection events to identify rogue devices probing for wireless debugging endpoints.
How to Mitigate CVE-2026-0073
Immediate Actions Required
- Apply the May 2026 Android security patch level (2026-05-01 or later) to all affected devices.
- Disable Wireless Debugging on all production and user devices through MDM policy until patches are confirmed installed.
- Restrict developer devices that require wireless ADB to isolated, trusted networks.
Patch Information
Google published the fix in the Android Security Bulletin May 2026. Devices must be updated to a security patch level of 2026-05-01 or later. OEMs distribute the patch through their standard over-the-air (OTA) update channels; Pixel devices receive the fix directly from Google.
Workarounds
- Disable Developer Options and Wireless Debugging in Settings > System > Developer options on all non-engineering devices.
- Use USB-based ADB rather than wireless ADB when debugging is required.
- Place devices that must use wireless debugging on a segmented VLAN with no untrusted clients.
- Enforce Wi-Fi client isolation on corporate wireless networks to block adjacent device-to-device communication.
# Disable wireless ADB via adb (USB) until patch is applied
adb shell settings put global adb_wifi_enabled 0
# Verify the device security patch level
adb shell getprop ro.build.version.security_patch
# Expected output: 2026-05-01 or later
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
