Google patched a critical Android flaw (CVE‑2026‑0073) that lets attackers run code remotely without user action.
Google released a security update for Android to address a critical remote code execution flaw, tracked as CVE‑2026‑0073, in the System component. The bug allowed attackers to run code as the shell user without needing extra permissions, or any user interaction.
The patch prevents potential full device compromise from remote exploitation.
“The vulnerability in this section could lead to remote (proximal/adjacent) code execution as the shell user with no additional execution privileges needed. User interaction is not needed for exploitation.” reads the advisory.
The flaw impacts ‘adbd’ (Android Debug Bridge daemon), the background process on an Android device that enables communication with a computer through the Android Debug Bridge (ADB) tool.
Google is not aware of any public exploits for this issue or of attacks in the wild exploiting CVE-2026-0073.
In March, Google confirmed that another vulnerability, tracked as CVE-2026-21385 (CVSS score of 7.8), in open-source Qualcomm component has been actively exploited.
The flaw is a buffer over-read in the Graphics component that could allow attackers to access sensitive memory data, underscoring ongoing risks to Android users.
The company did not disclose technical details about the attacks exploiting this vulnerability.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Google)
