Android ADB: Remote Shell Without a Trusted Key

BARGHEST disclosed CVE-2026-0073, a high-severity vulnerability in Android adbd. If ADB over TCP was enabled on a device — for example via Wireless debugging — a remote attacker could authenticate as a trusted ADB client without possessing the private key of a previously authorized computer.

The issue was located in adbd_tls_verify_cert. Android compared the RSA public key stored in /data/misc/adb/adb_keys with the key extracted from the client TLS certificate:

if (EVP_PKEY_cmp(known_evp.get(), evp_pkey.get())) { verified = true; }

The problem is that EVP_PKEY_cmp does not return a Boolean value. It returns:

1 if the keys match 0 if keys of the same type do not match a negative value for errors or incompatible key types

If an attacker supplied a non-RSA certificate — for example using EC P-256 or Ed25519 — comparison against the stored RSA key returned -1. In C/C++, any non-zero value evaluates to true, causing adbd to treat the certificate as successfully verified.

Exploitation required implementing the logic of an ADB client: connecting to ADB-over-TCP, switching the connection into TLS mode, presenting a non-RSA certificate, and then opening a remote shell after bypassing verification.

The resulting shell ran with uid=2000 (shell) and allowed access to logs, package state information, and execution of commands such as pm, am, settings, and run-as.

📎 Source: https://barghest.asia/blog/cve-2026-0073-adb-tls-auth-bypass/

💬 Discuss