Overview
CVE-2026-0073 is a critical remote code execution vulnerability residing in the adbd_tls_verify_cert function within auth.cpp — the Android Debug Bridge (ADB) daemon’s TLS certificate verification routine. The flaw is rooted in a logic error that allows an attacker to bypass wireless ADB mutual authentication entirely.
Severity & Classification
- CVSS: Critical
- Type: Remote Code Execution (RCE)
- Vector: Network (proximal/adjacent)
- User Interaction: None required
- Privileges Required: None
Affected Versions
Affected Android versions are 14, 15, 16, and 16-QPR2. Android 16-QPR2 was previously unaffected status but is now marked affected.
Vulnerability Mechanics
The vulnerability sits within the System component of Android and is classified under the adbd (Android Debug Bridge Daemon) Project Mainline subcomponent.
ADB wireless pairing (introduced in Android 11) uses mTLS (mutual TLS) to ensure both the host and the device authenticate each other before establishing a debug session. The flaw in adbd_tls_verify_cert breaks this mutual authentication contract — specifically, the logic error likely allows a malformed or invalid certificate to pass verification, enabling an adjacent attacker on the same network segment to impersonate a trusted ADB host and gain shell-level code execution on the target Android device without any user interaction.
Attack Surface
The attack vector is proximal/adjacent — the attacker must be on the same network segment (e.g., same Wi-Fi), making this particularly dangerous in enterprise MDM environments, developer workstations with wireless ADB enabled, and conference/public Wi-Fi scenarios where devices have ADB wirelessly enabled and lingering in an open pairing state.
Impact
Successful exploitation grants RCE as the shell user — a privileged process context on Android that can read most app data (without direct root), interact with am/pm commands, pull sensitive files, install packages silently, and pivot further via other local privilege escalation vulnerabilities toward root.
Patch & Remediation
Google published the fix as part of the Android Security Bulletin — May 2026, released May 4, 2026. Devices running security patch level 2026-05-01 or later are protected. The fix is also delivered as a Google Play System Update under the adbd Mainline module — meaning patch delivery does not require a full OTA on Android 10+ devices.
Detection Guidance
- Monitor for unexpected ADB wireless pairing events on managed Android fleet
- Audit MDM logs for
adb tcpipor port 5555 connection attempts on the network - Check Android security patch level: Settings → About Phone → Android Security Patch Level → verify 2026-05-01 or later
- Network-level detection: anomalous TLS handshakes to/from port 5555 on internal segments
Immediate Actions
- Apply the May 2026 Android Security Bulletin patch / Play System Update immediately
- Disable ADB wireless debugging on all non-development production devices (MDM policy enforcement)
- If ADB wireless is operationally required, enforce network-level segmentation — restrict ADB port (5555) access to dedicated management VLANs
- Audit device fleet for patch level compliance — prioritize Android 14/15/16 devices
Credit
Discovered by Ovi (@0x0v1) of Barghest.asia.
Very nice.