← Back to Feed CACHED · 2026-05-17 09:42:19 · cache_key CVE-2025-29912
CVE-2026-0073 · CWE-303 · Disclosed 2026-05-04

In adbd_tls_verify_cert of auth

ASSESSED — NOISGATE V0.5
Vendor
Reassessed
Verdict:
01 · The Real Story

This is a stolen valet key that only works if someone already left the dev garage door open

CVE-2026-0073 is a logic bug in Android adbd's TLS client-certificate check inside adbd_tls_verify_cert() in auth.cpp. On affected Android 14, 15, 16, and 16-qpr2 builds before the 2026-05-01 security patch level, an attacker on the same local network can abuse the certificate-comparison mistake to bypass Wireless ADB mutual authentication and land an adb shell session as the shell user.

The raw technical impact is real, but the vendor-style severity overstates fleet-wide urgency. In practice this requires *adjacent-network reachability* plus *Wireless debugging to be enabled* on the target, which dramatically shrinks the reachable population in managed enterprise fleets; that is why this scores lower here than the 8.8 baseline, even though the bug is clean, no-click, and now publicly understood.

"Technically nasty, operationally narrow: this only bites where Wireless debugging is already turned on nearby"
02 · The Attack Path

4 steps from start to impact.

STEP 01

Find a listening Wireless ADB target

The attacker first needs an Android device exposing Wireless ADB on the local network. Discovery can be done with adb mdns services, internal network scanning, or exposure tools such as runZero's protocol:=adb AND os:Android query. This is not an internet-scale bug; it starts with local network proximity.
Conditions required:
  • Attacker has adjacent/local-network access to the victim segment
  • Target device is powered on and connected to the same Wi-Fi or reachable L2/L3 segment
  • Wireless debugging is enabled on the Android device
Where this breaks in practice:
  • Wireless debugging is off by default on normal user devices
  • Many enterprise Wi-Fi deployments segment clients, suppress mDNS, or block peer-to-peer visibility
  • Mobile fleets often disable Developer Options entirely through MDM
Detection/coverage: Good internal asset-discovery coverage if you already enumerate ADB services; poor value from internet-facing scanners because this is usually not exposed to the public internet.
STEP 02

Present a crafted TLS client certificate

Public PoC tooling abuses the EVP_PKEY_cmp() misuse in adbd_tls_verify_cert(). The vulnerable code treated any non-zero comparison result as success; the patch shows the fix was to require cmp_result == 1. In plain English: a key-type mismatch could be misread as a trusted match.
Conditions required:
  • Attacker can initiate a TLS session to the device's ADB-over-Wi-Fi endpoint
  • Attacker has exploit code implementing the malformed or mismatched certificate path
Where this breaks in practice:
  • The exploit is specialized and Android-specific, not a commodity web bug
  • This still depends on the device offering the Wireless ADB service in the first place
Detection/coverage: Static code scanners and CVE feeds catch the vulnerable build; network IDS coverage is likely weak unless you explicitly profile unusual ADB-over-TLS attempts on Wi-Fi segments.
STEP 03

Bypass mutual authentication and complete ADB session

Once the certificate check is fooled, adbd treats the attacker as an authorized debugging host. That turns the vulnerability into an authenticated-by-bug ADB connection, without the normal trust ceremony. No user tap, no credentials, and no legitimate pairing are required after the vulnerable path is hit.
Conditions required:
  • Vulnerable adbd version
  • Successful handshake through the flawed certificate-verification logic
Where this breaks in practice:
  • Patched devices reject the handshake cleanly
  • Transient network changes can break wireless ADB sessions before the attacker gets stable access
Detection/coverage: ADB connection events, developer-options telemetry, and unusual shell activity may be visible to mobile telemetry products, but many orgs do not collect that level of Android runtime detail.
STEP 04

Operate as the Android shell user

The payoff is remote code execution as shell, not root. That is still powerful for debugging-style actions, package operations, log access, and device interrogation, but SELinux and the non-root context limit total blast radius compared with full device compromise. The real risk is concentrated in developer, QA, kiosk, and lab devices where debugging exposure is intentional and persistent.
Conditions required:
  • ADB session established
  • Target workload is valuable enough that shell access matters
Where this breaks in practice:
  • No direct root privileges from the CVE alone
  • Enterprise-managed work profiles and app sandboxing still constrain some follow-on actions
Detection/coverage: Mobile EDR/MTD with process and ADB telemetry can catch suspicious shell activity; basic vulnerability scanners usually stop at version detection and won't confirm exploitability.
03 · Intelligence Metadata

The supporting signals.

In-the-wild statusNo confirmed active exploitation found in authoritative public sources reviewed, and CISA KEV does not list this CVE. Treat that as *absence of evidence*, not proof of safety.
Proof-of-concept availabilityPublic PoC reporting exists, including references to GitHub repos such as SecTestAnnaQuinn/CVE-2026-0073-Android-adbd-authentication-bypass-POC and MartinPSDev/CVE-2026-0073-Android-ADBD-bypass-POC; that lowers attacker effort materially.
EPSS0.00009 (~0.009%) per the prompt, which is extremely low and consistent with a narrow, non-internet-scale attack surface.
KEV statusNot listed in CISA's Known Exploited Vulnerabilities catalog as of the sources reviewed.
CVSS vector reality checkCVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H captures the adjacent/no-auth/no-click mechanics correctly, but CVSS does not model that Wireless debugging is typically off by default and often policy-disabled in enterprise fleets.
Affected versionsAndroid 14, 15, 16, and 16-qpr2 before the 2026-05-01 patch level, per the Android Security Bulletin and NVD CPEs.
Fixed versionsDevices at Android security patch level 2026-05-01 or later are in scope for the fix; because adbd is a Project Mainline component, some devices may receive it via Google Play system update rather than a full OEM firmware flash.
Exposure/scanning realityThis is mainly an internal exposure-management problem, not an internet census problem. runZero explicitly recommends locating candidates with protocol:=adb AND os:Android; public Shodan/Censys-style counts are not the right leading indicator here.
Disclosure timelineDisclosed 2026-05-04 in the Android Security Bulletin, which was updated 2026-05-07 with AOSP links. The fix commit itself was authored 2026-01-09 and landed 2026-03-05.
Attribution/reportingThe public bulletin does not credit an external finder. The authoritative public breadcrumb is Android bug A-469080888 and the AOSP fix by Joshua Duong.
04 · The Call

noisgate verdict.

Final Verdict
DOWNGRADED to MEDIUM (5.6/10)

The single biggest downward driver is required exposure state: the attacker does not get value unless Wireless debugging is already enabled on the phone and reachable from the same local network. That turns a scary no-click auth bypass into a narrow, mostly developer-device problem instead of a broad enterprise patch emergency.

HIGH Technical root cause and affected-version mapping
MEDIUM Enterprise prevalence of exposed Wireless debugging
MEDIUM Public PoC availability and weaponization risk

Why this verdict

  • Start from 8.8 HIGH: adjacent-network, no-auth, no-click RCE is serious in a vacuum.
  • Downward adjustment for attacker position: AV:A means the attacker must already be on the same local network path. That is not internet-reachable initial access; it implies physical proximity, guest Wi-Fi presence, or prior foothold on internal wireless.
  • Downward adjustment for exposure population: the device must have *Wireless debugging enabled*. In real fleets that is a minority state, often concentrated in engineering, QA, kiosks, and lab devices rather than the whole 10,000-host estate.
  • Downward adjustment for control friction: modern MDM baselines, client isolation, mDNS suppression, and restrictive corporate Wi-Fi all break or shrink discovery and reachability for ADB-over-Wi-Fi.
  • Downward adjustment for blast radius: the payload lands as Android shell, not root. That still hurts, but it is materially less catastrophic than full system compromise.
  • Upward adjustment for exploitability quality: the bug is deterministic, no-click, and public PoC reporting exists, so this is not a purely theoretical code-path issue.

Why not higher?

It is not higher because this is not a broadly reachable remote edge-service bug. The exploit chain depends on a niche administrative feature being enabled on the endpoint and on the attacker sharing the right network position, which compounds into a sharply reduced exposed population. The post-exploitation context is also shell, not root.

Why not lower?

It is not lower because the technical exploit path is clean once the prerequisites are met. No user interaction is required, the authentication boundary really is bypassed, and exposed developer or lab devices can be high-value pivots with sensitive test data, app builds, and privileged trust relationships.

05 · Compensating Control

What to do — in priority order.

  1. Disable Wireless debugging — Turn off Wireless debugging anywhere it is not explicitly required, especially on developer handsets, QA pools, kiosks, and shared lab devices. For a MEDIUM verdict there is no noisgate mitigation SLA, so treat this as a hardening change in normal config cadence rather than an emergency push; still, it is the most effective exposure reducer because it removes the listening service entirely.
  2. Enforce Developer Options restrictions via MDM — Use Android Enterprise policy to block or tightly scope Developer Options and debugging features on production-user devices. There is no mitigation SLA at MEDIUM, but pushing this control before the patch reaches the whole fleet prevents the vulnerable code path from being reachable in the first place.
  3. Segment client Wi-Fi — Apply client isolation, mDNS suppression where operationally safe, and peer-to-peer restrictions on corporate wireless networks. This does not fix the bug, but it raises exploitation friction by breaking discovery and direct local reachability; implement during normal network-change windows since MEDIUM has no noisgate mitigation SLA.
  4. Inventory ADB-exposed Android assets — Query internal exposure tools for Android devices speaking ADB, for example runZero's protocol:=adb AND os:Android, and hand that list to mobile/endpoint owners. Use it to target patch validation and policy cleanup ahead of the 365-day remediation window.
What doesn't work
  • Perimeter WAF or email security controls do nothing here; this is not a web or phishing entry path.
  • Relying on 'not internet-facing' is insufficient, because the threat model is *adjacent network* and many offices, labs, and guest networks provide exactly that proximity.
  • MFA is irrelevant; the vulnerable path is a certificate-verification logic error inside adbd, not an identity-provider login flow.
06 · Verification

Crowdsourced verification payload.

Run this on an auditor workstation with the Android adb client installed and a USB- or already-managed-ADB-connected target device. Invoke it as ./check-cve-2026-0073.sh <serial> or ./check-cve-2026-0073.sh for a single attached device; it needs enough access to run adb shell getprop, but does not require root on the phone.

noisgate-verify.sh
BASHREAD-ONLYSAFE
#!/usr/bin/env bash
# check-cve-2026-0073.sh
# Determine likely exposure to CVE-2026-0073 based on Android version and security patch level.
# Output: VULNERABLE / PATCHED / UNKNOWN
# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN

set -u

TARGET_SERIAL="${1:-}"
ADB_BIN="${ADB_BIN:-adb}"
FIXED_SPL="2026-05-01"

adb_cmd() {
  if [[ -n "$TARGET_SERIAL" ]]; then
    "$ADB_BIN" -s "$TARGET_SERIAL" "$@"
  else
    "$ADB_BIN" "$@"
  fi
}

fail_unknown() {
  echo "UNKNOWN: $1"
  exit 2
}

normalize_date() {
  # Accept YYYY-MM-DD only.
  local d="$1"
  if [[ "$d" =~ ^[0-9]{4}-[0-9]{2}-[0-9]{2}$ ]]; then
    echo "$d"
  else
    echo ""
  fi
}

# Ensure adb can see the target.
adb_cmd get-state >/dev/null 2>&1 || fail_unknown "adb cannot reach target device"

RELEASE_RAW="$(adb_cmd shell getprop ro.build.version.release 2>/dev/null | tr -d '\r')"
SPL_RAW="$(adb_cmd shell getprop ro.build.version.security_patch 2>/dev/null | tr -d '\r')"
PRODUCT_RAW="$(adb_cmd shell getprop ro.product.model 2>/dev/null | tr -d '\r')"
BUILD_RAW="$(adb_cmd shell getprop ro.build.fingerprint 2>/dev/null | tr -d '\r')"

[[ -n "$RELEASE_RAW" ]] || fail_unknown "missing ro.build.version.release"
SPL="$(normalize_date "$SPL_RAW")"

# Extract major Android release number (14, 15, 16, etc.).
MAJOR="${RELEASE_RAW%%.*}"
if ! [[ "$MAJOR" =~ ^[0-9]+$ ]]; then
  fail_unknown "unrecognized Android release: $RELEASE_RAW"
fi

# Affected releases from public advisory: 14, 15, 16 / 16-qpr2 track.
if (( MAJOR < 14 )); then
  echo "PATCHED: device is Android $RELEASE_RAW, outside the published affected range (14/15/16). Model=$PRODUCT_RAW"
  exit 0
fi

if (( MAJOR > 16 )); then
  echo "PATCHED: device is Android $RELEASE_RAW, newer than the published affected range. Model=$PRODUCT_RAW"
  exit 0
fi

if [[ -z "$SPL" ]]; then
  fail_unknown "missing or malformed security patch level on affected Android $RELEASE_RAW device"
fi

if [[ "$SPL" < "$FIXED_SPL" ]]; then
  echo "VULNERABLE: Android $RELEASE_RAW with security patch level $SPL is older than $FIXED_SPL. Model=$PRODUCT_RAW Fingerprint=$BUILD_RAW"
  exit 1
fi

echo "PATCHED: Android $RELEASE_RAW with security patch level $SPL meets or exceeds $FIXED_SPL. Model=$PRODUCT_RAW Fingerprint=$BUILD_RAW"
exit 0
07 · Bottom Line

If you remember one thing.

TL;DR
Monday morning, do targeted inventory first: find Android assets with Wireless debugging exposure, especially developer, QA, kiosk, and lab pools, and disable that feature where it is not mission-essential. Because this lands at MEDIUM, there is no noisgate mitigation SLA — go straight to the 365-day remediation window for patching, but don't confuse that with indifference: use normal mobile-management cadence to harden exposure now, then ensure affected Android 14/15/16 devices reach security patch level 2026-05-01 or later within the noisgate remediation SLA of ≤365 days; if you discover exposed dev fleets on shared Wi-Fi, treat those subsets as priority exceptions and patch/harden them ahead of the general queue.

Sources

  1. Android Security Bulletin—May 2026
  2. NVD entry for CVE-2026-0073
  3. AOSP fix commit for bug 469080888
  4. AOSP diff showing `EVP_PKEY_cmp` fix
  5. Android Developers: ADB over Wi-Fi prerequisites
  6. runZero: finding Android ADB on your network
  7. FIRST EPSS data and methodology
  8. CISA Known Exploited Vulnerabilities Catalog
Peer Review

What defenders are saying.

Submit a review attribution: handle + country only
0 flags selected · stored anonymously
Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.