Zero-Click Shell: Public Exploit and PoC Disclosed for Android’s Critical ADB Auth Bypass (CVE-2026-0073)

A critical vulnerability existing within the core of Android’s developer tools has been exposed, revealing a zero-click avenue for attackers to silently hijack mobile devices over Wi-Fi. Detailed in a new analysis by BARGHEST, a prominent security research team of hackers, the flaw—tracked as CVE-2026-0073—represents a severe breakdown in Android’s wireless debugging authentication protocols.

For developers and power users who routinely leave “ADB” (Android Debug Bridge) enabled, the threat is immediate and severe.

The vulnerability targets the ADB-over-TCP authentication path, a feature increasingly utilized through Android’s modern “Wireless debugging” capabilities.

While it is classified as a remote code execution (RCE) vulnerability, the BARGHEST team clarifies the true nature of the threat. As the researchers note:

“More precisely, it is not command injection or code injection in the narrow bug-class sense; it is an authentication bypass that lets a remote peer become an authorized ADB host and open a shell as the Android shell user”.

The fatal flaw exists at the complex intersection of three distinct security layers: “ADB packet negotiation, TLS 1.3 mutual authentication, and Android’s legacy RSA ADB host-key format”.

When a device connects via ADB, Android verifies the client’s TLS certificate against a trusted store of paired host keys (located at /data/misc/adb/adb_keys). Android expects these stored keys to be RSA public keys. However, the attacker completely controls the incoming TLS client certificate and can utilize a different cryptographic algorithm.

The system relies on a generic cryptographic comparison API (EVP_PKEY_cmp) to match the keys. Due to how Android evaluates the boolean return value of this specific OpenSSL/BoringSSL function when handling mismatched algorithms, the system is fatally tricked into authorizing the connection.

Once the authentication bypass is successful, the attacker has a direct line to the device’s internal shell.

Based on this analysis, several security researchers have released a proof-of-concept exploit to exploit this vulnerability.

According to BARGHEST’s analysis, “The impact is that a remote network peer becomes an authorized debugging host without the paired host private key, gaining a powerful staging context for data access, account abuse, device reconfiguration, and follow-on exploitation”.

While the attacker is still technically constrained by Android’s SELinux model and app permission sandboxes, a shell context provides more than enough firepower for malicious operations. In the hands of a spyware operator, this access can be weaponized to orchestrate sophisticated account takeovers. The attacker can launch hidden activities, manipulate device settings, silently read notifications to intercept two-factor authentication codes, and forcefully install malicious helper applications.

The zero-click nature of this vulnerability over local networks makes public Wi-Fi a minefield for devices with wireless debugging enabled. BARGHEST recommends several immediate actions to secure vulnerable devices:

• Patch Immediately: Users must install the latest Android security updates and verify that their device’s security patch level explicitly includes the fix for CVE-2026-0073.
• Kill the Switch: Disable ADB entirely when it is not actively being used for development. If Developer Options are not strictly necessary, turn the feature off completely.
• Network Discipline: Never enable Wireless debugging on untrusted or public Wi-Fi networks, and never expose ADB endpoints beyond a trusted local network.
• Audit Paired Devices: Navigate to Developer Options and aggressively revoke any unknown or stale paired debugging hosts.
• Stay Vigilant: Treat any unexpected prompts to install network, security, or “configuration” applications as high-risk indicators of compromise.