The newly published May 2026 Android security bulletin comes with one clear warning: update now if you use Android 14, Android 15, Android 16, and Android 16-QPR2. The reasoning is simple enough, as a critical Google Android System component vulnerability can give an attacker remote shell access without any user interaction required. That’s right, this is a zero-click vulnerability, and that’s why it is so dangerous. What the attacker does need, however, is to be on the same local network, more physically close to the target device, which does at least mitigate the risk. That said, the advice to update now stands; why take any chances when the solution is simple enough and doing nothing effectively gives an attacker a master key that evades security detection.

The Critical CVE-2026-0073 Google Android Zero-Click Vulnerability Explained

Tracked by the Common Vulnerabilities and Exposures system as CVE-2026-0073, Google has confirmed that this core Android System component vulnerability could “lead to remote (proximal/adjacent) code execution as the shell user with no additional execution privileges needed,” adding that “user interaction is not needed for exploitation.”

While there is no evidence to suggest that the zero-click vulnerability has been exploited in the wild at this stage, it would not be unusual for this to happen as more technical details emerge. Currently, according to CVE.org it is known that “In adbd_tls_verify_cert of auth.cpp, there is a possible bypass of wireless ADB mutual authentication due to a logic error in the code.” The wireless Android Debug Bridge is meant to be a secure method for developer interaction with devices, but CVE-2026-0073 appears to have exploited the way that the encryption works with ADB to effectively give an attacker a master key to access a device by way of impersonation of a trusted source. What it does is enable remote code execution by way of a shell that can bypass application sandboxes. And that, dear reader, is a bad thing.

“Security patch levels of 2026-05-01 or later address all of these issues,” Google said, while confirming: “The issue in this bulletin is a critical security vulnerability.” That rating having been applied, Google said, due to the “effect that exploiting the vulnerability would possibly have on an affected device.”

While the fractured nature of the Android ecosystem means that your device might not yet have an update available, Google has already notified all hardware vendors of the vulnerability well in advance of the May Android security bulletin publication on May 4, so hopefully your update will be here already.