Android smartphone showing a zero-click vulnerability exploit, with hacker accessing device remotely via network and gaining shell-level control without user interaction.

Google has disclosed a critical Android vulnerability, tracked as CVE-2026-0073, that allows attackers to gain remote shell access without any user interaction. The flaw exists in the Android Debug Bridge (adbd) component and can be exploited over the same network or nearby proximity, making it a serious zero-click threat.

Android smartphone showing a zero-click vulnerability exploit, with hacker accessing device remotely via network and gaining shell-level control without user interaction.Android smartphone showing a zero-click vulnerability exploit, with hacker accessing device remotely via network and gaining shell-level control without user interaction.

This vulnerability enables remote code execution as a “shell” user, allowing attackers to bypass app sandbox protections and run commands on the device. Affected versions include Android 14, 15, 16, and 16-QPR2, impacting a wide range of modern devices.

Google has patched the issue in the May 2026 security update and urges users to update immediately. Device owners should ensure their security patch level is May 1, 2026, or later and install any pending Google Play system updates to stay protected.


 Don't trust a single layer. Upgrade to NPAV EPS — Because your Defender can't defend itself.