Overview
- Google’s May Android security update addresses CVE-2026-0073, a critical bug that allowed remote code execution as the shell user with no user interaction required, in devices with security patch level 2026-05-01 or later.
- The vulnerability sits in adbd, the Android Debug Bridge daemon, where a logic error in TLS certificate checks could bypass wireless ADB’s mutual authentication.
- Exploitation would likely require the attacker to be on the same local network as the target, and the user would not need to tap or approve anything.
- Google and independent reports say there is no evidence the flaw has been exploited in the wild so far.
- Wear OS, Pixel Watch, Android XR, and Android Automotive did not receive patches this month, so users should install updates as their device maker releases them.