GOOGLE patched a critical Android flaw (CVE‑2026‑0073) that could let attackers run code remotely without user action, in the System component. The update prevents potential full device compromise from remote exploitation, with the advisory noting that remote code execution could occur as the shell user with no additional privileges or user interaction. The vulnerability affects adbd, the Android Debug Bridge daemon that enables communication with a computer via ADB.
Google is not aware of any public exploits or attacks in the wild exploiting CVE‑2026‑0073. In March, Google confirmed another vulnerability, CVE‑2026‑21385, in an open‑source Qualcomm component, which has a CVSS score of 7.8 and has been actively exploited. The Qualcomm flaw is described as a buffer over‑read in the Graphics component that could allow access to sensitive memory data, underscoring ongoing risks to Android users.