The file-sharing feature on billions of phones can be crashed by anyone standing nearby. Researchers at the CISPA Helmholtz Center disclosed six vulnerabilities on June 30, 2026, spanning Apple AirDrop and Google and Samsung Quick Share, that let an attacker within wireless range disrupt a target device with no pairing, no shared network and no user tap. The good news buried under the scary headline: the flaws cause denial of service, crashing the daemons behind file sharing, and the researchers found no way to steal files or run code.

  • Six vulnerabilities (V1 to V6) span macOS, iOS, Android and Windows, published in an arXiv paper titled Protocol Prying by CISPA researchers.
  • The affected proximity protocols run on roughly five billion devices and are reachable from wireless range (about 10 to 30 meters) with no prior pairing.
  • Impact is denial of service: the bugs crash privileged daemons, but the team found no file theft, no sandbox escape and no arbitrary code execution.
  • Apple acknowledged V1 to V3 and has fixed one with a CVE (advisory still private); Samsung's V4 to V5 went to Google; Google fixed the Windows use-after-free (V6) and paid a bounty.
Why proximity transfer is a zero-click target AirDrop and Quick Share listen for nearby devices without pairing, so an attacker in wireless range can send malformed data straight into privileged system daemons. Attacker in wireless range no pairing needed Listening daemon AirDrop / Quick Share runs privileged Crash service dies, features break Complex serialized input (plists, CPIO, Protocol Buffers, UKEY2) parsed inside privileged code, with no user interaction required. Zero-click surface: the phone processes the payload just by listening. genztech.blog
Fig 1 The core problem: AirDrop and Quick Share listen for nearby devices without pairing and parse complex serialized formats inside privileged daemons, so a malformed payload from anyone in range can crash the service with no tap from the victim.

What did the researchers find?

Two CISPA researchers, Arash Ale Ebrahim and Nils Ole Tippenhauer, systematically probed AirDrop and Quick Share, which are proprietary and largely undocumented, and came away with six distinct bugs. Three are pre-authentication issues in macOS and iOS AirDrop: a Swift fatalError denial of service in the HTTP path router, unbounded XML plist recursion in Foundation, and a null-pointer dereference in Network.framework's HTTP/1.1 parser. Two are protocol-layer flaws in Samsung Quick Share, including a pre-authentication frame dispatch bug and an encryption bypass for certain frame types. The sixth is a heap use-after-free in Google's Quick Share for Windows client. Both protocols, the paper argues, expose pre-authentication attack surface from wireless proximity and validate input poorly at the application layer.

RelatedDuneSlide Turns a Cursor Prompt Into Full Code Execution

How bad is it, really?

Less bad than the raw numbers suggest, and that nuance matters. The disclosed bugs primarily disrupt availability rather than exposing data: the researchers did not find a way to steal files, bypass platform security or run arbitrary code. What they enable is remote denial of service, crashing the system daemons responsible for file sharing and continuity features. The attack also requires proximity, roughly 10 to 30 meters, with no prior pairing or shared Wi-Fi, and the AirDrop bugs specifically require the target to be in the most permissive "Everyone for 10 Minutes" mode. So this is not a mass-exploitation, steal-your-photos scenario. It is a nearby-attacker nuisance-to-disruption class of bug, most relevant in crowded public spaces, that in the worst framing crashes a phone's sharing stack until it recovers.

FlawPlatformTypeStatus
V1macOS / iOS AirDropSwift fatalError DoSFixed, CVE pending public
V2macOS / iOS AirDropUnbounded plist recursionUnder disclosure
V3macOS / iOS AirDropNull-deref in HTTP parserUnder disclosure
V4Samsung Quick SharePre-auth frame dispatchSent to Google
V5Samsung Quick ShareD2D encryption bypassSent to Google
V6Windows Quick ShareHeap use-after-freeFixed, bounty paid

The vendor response has been orderly. The team disclosed responsibly to Apple, Samsung and Google. Apple acknowledged V1 to V3 and has already fixed one AirDrop bug with an assigned CVE, though the advisory remains private while the rest stay under coordinated disclosure. Samsung transferred its two findings to Google, and Google fixed the Windows use-after-free and paid a bounty. Patches are landing, but the researchers stress a systemic point: even after these specific bugs are fixed, the underlying attack surface, privileged daemons parsing complex untrusted input from anyone nearby, remains.

What should you do about it?

Very little panic, one small habit. Because the attacks require proximity and the most open sharing mode, the practical mitigation is the one Apple and Google have recommended for years: do not leave AirDrop or Quick Share set to receive from Everyone. Set it to Contacts Only, or Off when you are in a crowd, and turn it back to Everyone only for the moment you need it. Keep your OS updated so the CVE fixes land as they ship. There is no evidence any of these flaws have been exploited in the wild, and the impact is disruption rather than compromise, so this is a tighten-your-settings story, not a drop-everything one.

RelatedKemp LoadMaster Pre-Auth RCE Is Now Under Active Attack

What to watch · 2026
  • Public CVEs. Apple's advisory is still private. Watch for the AirDrop CVE and any follow-on IDs as coordinated disclosure ends.
  • Samsung's fixes. V4 and V5 moved to Google. Watch for the Quick Share patches to actually ship to Android and One UI.
  • Escalation research. Today these are DoS bugs. Watch whether follow-up work turns any into information disclosure or code execution.
  • Protocol transparency. The paper's real critique is opacity. Watch whether Apple or Google document these stacks or keep them closed.

Our take

This is a model disclosure of a genuinely interesting class of bug, and the responsible thing is to report it accurately rather than for clicks. Yes, five billion devices run these protocols, and yes, the bugs are zero-click from proximity, which sounds alarming. But the researchers were careful to say what they did not find: no file theft, no sandbox escape, no remote code execution on phones. The honest headline is that proximity file transfer is an under-studied, privileged attack surface that parses messy untrusted data, and that surface deserves the scrutiny this paper gives it. The immediate risk to a normal user is low and easily reduced by not broadcasting to Everyone. The lasting value is the reminder that convenience features listening silently in the background are exactly where the next serious bugs will be found, which is why closed, undocumented protocols on billions of devices are worth prying open.

Primary sources

Original analysis by GenZTech. Figures current as of July 2026. Source: arxiv.org