CVE-2026-0073

Name of the Vulnerable Software and Affected Versions Android versions 14 through 16

Description An authentication bypass exists in the Android Debug Bridge daemon (adbd) within the adbd tls verify cert() function located in auth.cpp. The issue stems from a logic error where the EVP PKEY cmp() function is used to compare the RSA public key stored in /data/misc/adb/adb keys with the key from a client TLS certificate. Because EVP PKEY cmp() returns -1 for incompatible key types (such as EC P-256 or Ed25519) rather than a Boolean, the system evaluates any non-zero return value as true, incorrectly verifying the certificate.

This zero-click flaw allows a remote attacker on the same local network (proximal/adjacent) to bypass wireless ADB mutual authentication and execute arbitrary code as the shell user (uid=2000) without any user interaction. This access enables the attacker to read logs, capture screenshots, monitor sessions, and execute system commands via pm, am, settings, and run-as. Some reports also suggest a separate memory corruption flaw involving integer underflow during the parsing of malformed service discovery packets (mDNS/SSDP), which could lead to a heap-based buffer overflow and remote code execution.

Recommendations Update Android to the May 2026 security patch (2026-05-01 or later). Disable the Wireless debugging feature in Developer options. Restrict access to the adbd daemon by disabling Developer options globally via Enterprise Mobility Management (EMM) for corporate fleets.