Update your Android device right now. You can attack your phone without pressing any buttons thanks to this vulnerability.
Google has confirmed a fix for a critical vulnerability affecting an operating system component in its May 2026 Android Security Bulletin. This vulnerability, known as CVE-2026-0073, permits remote code execution with shell user privileges without the need for extra permissions, installing programs, clicking links, or consenting to anything. Thankfully, there is a security update available, and it is advised to install it right away.
As previously stated, if you have installed (or have already installed) the May 1, 2026 update or later, you shouldn't experience any problems with this vulnerability. However, you might have to wait for your device manufacturer to release this update, unless you own a Pixel device or the manufacturer is very quick to implement the fix.
In this case, the vulnerability affects adbd, a component you may be familiar with, used for development, debugging, and communication with the device. Crucially, Google classifies this vulnerability as RCE, or Remote Code Execution. This means the user doesn't need to do anything to grant the attacker access. It's not about a malicious application or a suspicious link; it's a vulnerability that requires no interaction from the victim.
Why is it called a "no-click" attack?
Cybersecurity experts describe this as a "no-touch" vulnerability, meaning it doesn't require the phone owner to touch anything for it to occur. However, it's important to note that the official Android release doesn't mention a widespread attack or confirm active exploitation of this vulnerability.
What we do know is that it could lead to remote code execution without any additional privileges or user interaction. This is why the warning level has been raised. Furthermore, since the update is now publicly available, we know that attempts to exploit this vulnerability will begin on devices that are not updated or cannot be updated.
Which Android phones are affected?
According to the official table, the vulnerability affects updated AOSP versions of Android 14, Android 15, Android 16, and Android 16-qpr2. However, this does not mean that all phones running these versions are equally vulnerable, as factors such as system security measures, manufacturer settings, and update status can affect the vulnerability level.
To ensure your Android device is protected, check the security patch level. If the date is May 1, 2026, or later, your device is updated to address the vulnerability. To do this:
- Open your phone's settings: Settings > Accessing device settings
- Go to the System section: Settings > System > View update options
- Check for software updates: System > Software Update > Check for pending patches
- Check the patch level: Settings > Security or About phone. The date should be May 1, 2026 or later.
- Update Google Play system: Settings > Security & Privacy > Install update if available
- Restart your device: Power menu > Apply changes after installation
The main recommendation is to install the security update as soon as possible, although we can also do other things such as disabling debugging functions if you are not using them, avoiding unknown Wi-Fi networks, and keeping Google Play Protect enabled.