Critical Android Zero-Click Flaw Grants Remote Shell Access

Google has issued its May 2026 Android Security Bulletin, drawing attention to a highly severe remote code execution (RCE) flaw. This vulnerability poses a significant risk to the Android ecosystem.

Tracked as CVE-2026-0073, this critical vulnerability resides deep within the core Android System component.

It allows an attacker to gain remote shell access without requiring a single tap, download, or click from the device owner.

Threat actors can launch this zero-click attack proximally, meaning they only need to be on the same local network or in physical proximity to exploit a vulnerable mobile device.

Android Zero-Click Vulnerability

The root of CVE-2026-0073 lies within the adbd subcomponent, which stands for the Android Debug Bridge daemon.

Developers traditionally utilize this system service to communicate with a device, run terminal commands, and modify system behavior.

Because the flaw grants remote code execution as a “shell” user, attackers can bypass normal application sandboxes.

They do not need any special execution privileges or user interaction to deploy their malicious payloads successfully.

Imagine the adbd service as a restricted maintenance door on a secure corporate building.

This vulnerability acts like a master key that works over a wireless connection, allowing an intruder to quietly unlock the door and issue commands to the building’s internal systems without the security guard ever noticing.

This frictionless level of access makes the vulnerability highly dangerous and incredibly attractive to advanced threat actors.

Because the adbd service is a Project Mainline component distributed via Google Play system updates, the flaw affects multiple recent generations of the operating system.

Android 14, Android 15, Android 16, and Android 16-QPR2 devices are currently at risk.

Google has resolved this critical issue in the May 1, 2026, security patch level, as detailed in the Android Security Bulletin May 2026.

All Android hardware partners were notified of this vulnerability at least a month in advance to help them prepare over-the-air firmware updates.

Corresponding source code patches are also being pushed to the Android Open Source Project (AOSP) repository to ensure ongoing platform stability for the wider ecosystem.

Device owners must prioritize installing the latest security updates immediately to block potential exploitation.

To confirm that a device is protected, navigate to system settings and verify that the security patch level is May 1, 2026, or later.

Users should also manually check for pending Google Play system updates, as some devices running Android 10 or later may receive targeted component patches via this alternative channel.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.