Google has released its Android Security Bulletin for May 2026, disclosing a single, highly critical remote code execution (RCE) vulnerability, CVE-2026-0073, that affects Android versions 14, 15, 16, and 16-QPR2, requiring zero user interaction and no elevated privileges to exploit.
Google published the Android Security Bulletin for May 2026 on May 4, 2026, marking one of the most focused bulletins of the year, addressing a singular, Critical-severity vulnerability in the Android System component.
Unlike previous monthly bulletins, such as March 2026, which patched a sprawling 129 vulnerabilities, including a Qualcomm zero-day under active exploitation, the May bulletin’s narrow scope places its entire weight on a single flaw with far-reaching consequences.
Security patch levels of 2026-05-01 or later fully address the disclosed vulnerability. Google will release the corresponding AOSP (Android Open Source Project) source code patches within 48 hours of the bulletin’s publication, and the bulletin will subsequently be updated to include AOSP links.
CVE-2026-0073: Critical Zero-Click RCE
CVE-2026-0073 is a Critical-severity Remote Code Execution (RCE) vulnerability residing in Android’s System component, specifically tracked under Android bug ID A-469080888.
What makes this vulnerability particularly alarming is its attack profile, it requires no user interaction and no additional execution privileges, allowing a remote attacker within proximal or adjacent network range to execute arbitrary code as the shell user on any unpatched device.
Security researchers at SecurityOnline have highlighted this flaw as a zero-click vulnerability exploitable via the Wireless ADB (Android Debug Bridge) pathway, meaning a threat actor with network adjacency can silently compromise an Android device without the victim ever tapping, clicking, or approving anything.
The flaw has been confirmed to be delivered via Google Play system updates under the adbd (Android Debug Bridge Daemon) subcomponent via the Project Mainline framework, enabling over-the-air patching without requiring a full OS update. All devices running a security patch level of 2026-05-01 or later are protected.
The CVE-2026-0073 vulnerability is rooted in the adbd daemon the core service that manages the Android Debug Bridge protocol a component responsible for device communication, shell access, and debugging operations, when exposed over a wireless network (Wireless ADB).
A malformed or specially crafted request to this daemon can trigger the flaw and allow remote shell-level execution without requiring the attacker to have any foothold on the device beforehand.
The vulnerability is classified as proximal/adjacent in attack vector terms, meaning an attacker does not need access over the open internet but does need to be on the same local network, such as a shared Wi-Fi environment, enterprise network, or a public hotspot.
This makes the threat especially relevant in corporate environments, hotels, coffee shops, and conference venues where multiple unknown devices share network infrastructure. The CVSS classification of this flaw aligns with the most severe end of Android’s severity framework, which Google assesses with platform and service mitigations turned off.
One key advantage of the mitigation outlined in the May 2026 bulletin is the delivery mechanism. The fix for CVE-2026-0073 is distributed via Project Mainline, Google’s modular update system that pushes critical patches through the Google Play Store independently of manufacturer firmware updates.
The patched adbd module can be updated directly on devices running Android 10 and later without waiting for a full OEM security update cycle. This is significant given historically persistent fragmentation problem across the Android ecosystem: millions of devices remain unpatched for months after a bulletin due to delayed carrier and manufacturer rollouts.
Google Play Protect, enabled by default on all Google Mobile Services (GMS) devices, continues to actively monitor for Potentially Harmful Applications (PHAs) that may attempt to exploit such vulnerabilities, providing an important behavioral defense layer while device patches are deployed.
The May 2026 bulletin follows an active year for Android security. The March 2026 bulletin addressed 129 vulnerabilities and included a Qualcomm zero-day (CVE-2026-21385) that was confirmed under limited, targeted exploitation and added to CISA’s Known Exploited Vulnerabilities (KEV) catalog.
The April 2026 bulletin addressed 47 vulnerabilities across Samsung Galaxy devices alone, including 14 Critical and 18 High-severity issues from Google’s core Android patches.
The broader 2026 threat landscape for mobile devices is being shaped by AI-driven social engineering, which ISACA reports has become the #1 critical threat cited by 63% of security professionals, surpassing ransomware for the first time in 2025.
Against this backdrop, zero-click RCE flaws like CVE-2026-0073 represent the highest-priority attack surface, as they can be silently weaponized for initial compromise before layering in social engineering or data exfiltration payloads.
| Android Version | Patched in May 2026 Bulletin |
|---|---|
| Android 14 | Yes |
| Android 15 | Yes |
| Android 16 | Yes |
| Android 16-QPR2 | Yes |
Mitigation
Organizations and individual users should take the following immediate steps:
- Update immediately – Apply the May 2026 security patch (2026-05-01) on all Android 14, 15, and 16 devices without delay
- Verify patch level – Navigate to Settings → About Phone → Android Version → Security Patch Level and confirm it reads 2026-05-01 or later
- Disable Wireless ADB on all non-development devices, especially in enterprise deployments, to reduce the attack surface until patches are confirmed applied
- Restrict network exposure – Avoid connecting Android devices to untrusted Wi-Fi networks, particularly in shared or public environments where proximal attackers may lurk
- Enable Google Play Protect – Ensure real-time threat scanning is active under Google Play → Settings → Play Protect
- MDM enforcement – Enterprise IT and security teams should use Mobile Device Management solutions to enforce mandatory patch compliance and flag non-compliant devices
- Use the ADB command to verify the patch status:
adb shell getprop ro.build.version.security_patchthe output should return2026-05-01or later
FAQ
Q1: What is CVE-2026-0073?
It is a Critical zero-click RCE vulnerability in Android’s adbd System component, affecting Android 14–16 and patched in the May 2026 security bulletin.
Q2: Do I need to take any action if my device has Google Play Protect enabled?
Google Play Protect provides behavioral monitoring but does not replace the need to update to the 2026-05-01 security patch level for full protection.
Q3: Which Android versions are affected by CVE-2026-0073?
Android versions 14, 15, 16, and 16-QPR2 are all affected and must be updated to the May 2026 security patch level (2026-05-01) or later.
Q4: Can my device be exploited over the internet, or does the attacker need to be nearby?
The attack vector is a proximal/adjacent network, meaning the attacker must be on the same local or Wi-Fi network, not the open internet.
Site: thecybrdef.com
For more insights and updates, follow us on Google News, Twitter, and LinkedIn.
About the Author
