• Home
• Technology

 Google has released an urgent security bulletin addressing a catastrophic zero-click vulnerability, tracked as CVE-2026-0073, lurking within the core Android System. The flaw, primarily located in the Android Debug Bridge daemon (adbd), allows nearby attackers to execute remote code as the "shell user" without any victim interaction. Security experts at Barghest Research unmasked the bug as a logic error in the TLS authentication path, where the system incorrectly validates mismatched certificates, granting unauthorized remote shell access.

The vulnerability affects billions of devices running Android 14, 15, and the newly released 16. Exploitation occurs silently over adjacent networks (such as public Wi-Fi), bypassing traditional app sandboxes and potentially allowing the installation of invisible spyware. While Google confirms no active exploitation at the time of disclosure, the release of a Proof-of-Concept (PoC) exploit on GitHub has heightened the urgency. Users are urged to apply the May 2026 security patch immediately and disable "Wireless Debugging" in developer options to mitigate the risk.