CVE-2026-0073 is a Critical severity Remote Code Execution (RCE) vulnerability included as the only vulnerability fixed in the May 2026 Android Security Bulletin. GrapheneOS first shipped the patch in our 2026030501 security preview release on March 5th. It also isn't nearly as severe as it sounds.
This was a bypass for TLS client certificate authentication in the Android Debug Bridge (ADB) for the Wireless debugging feature. It's only relevant to users enabling developer options, enabling Android Debug Bridge and then enabling Wireless debugging. Wireless debugging is disabled on reboot.
Our security preview releases are recommended in the initial setup wizard via a dedicated page with toggle that's enabled by default. Existing users who weren't shown the page received a notification at boot opening a similar page with a save button. It reappears until a choice is made either way.