More than five billion active Apple and Android devices sit inside the wireless ecosystem where two researchers found a set of defects that let a nearby attacker crash core sharing services or bypass session checks, according to a new paper by Arash Ale Ebrahim and Nils Ole Tippenhauer of the CISPA Helmholtz Center for Information Security.
Who found this and what they pulled apart
Ebrahim and Tippenhauer published the first side-by-side analysis of AirDrop and Samsung Quick Share above the radio layer, tracing failures from discovery into session handling, parsing, and trust decisions. Their work identifies six distinct flaws across the two stacks and includes reproducible test tools released openly so other security teams can verify the results.
AirDrop: three ways to take sharingd down
All three AirDrop flaws culminate in crashes of sharingd, the background service on macOS and iOS that also supports AirPlay, Handoff, Universal Clipboard, Continuity Camera, and NameDrop. The simplest attack requires a single malformed request sent to a device with AirDrop set to receive from "Everyone"; sending that malformed message on a loop (about one every two seconds) keeps the features down and prevents legitimate AirDrop transfers while the attack continues.
Two of the three AirDrop defects live in shared Apple frameworks. The broadest is a stack overflow in Foundation's XML property list parser triggered by a small file with roughly 200 nested layers. Any Apple app that opens an untrusted file of that type could follow the same parser path across macOS, iOS, watchOS, tvOS, and visionOS. The researchers reproduced the AirDrop crashes on macOS 15.7.4, macOS 26.3, iOS 18.x, and iOS 26.3; an older iOS 16 build was not affected.
Apple has already patched one of the three AirDrop bugs and assigned it a CVE; that advisory is not yet public. Users were advised to install Apple's latest updates — iOS and macOS 26.5.2 shipped June 29 — and to keep AirDrop on "Contacts Only" or off rather than "Everyone," which is the setting these flaws require.
Quick Share: handshake bypasses and a Windows memory bug
On Android, the researchers found two Quick Share flaws in Samsung's implementation that let an attacker skip handshake checks. One allows an unverified device to start driving a connection before encryption is established; the other permits some control messages to pass unencrypted even after a secure session exists, enabling an attacker on the same Wi‑Fi network to force a connection into an "accepted" state, keep it alive, or cause the server to return attacker-supplied IP and port values. The team tested these on a Galaxy S23 Ultra and cautioned that other Android vendors' Quick Share versions require separate review.
The most serious Quick Share issue surfaced in Google's Quick Share for Windows: a use-after-free memory bug that occurs when two connections collide, leaving the program referencing memory that has already been freed. The researchers confirmed a crash and described the exploit path as plausible in part because Control Flow Guard is switched off in the app. Google acknowledged the bug, paid a bounty, and has landed a code fix; its CVE is pending. The researchers note that Quick Share for Windows has a history of code‑execution chains reported by SafeBreach in 2024 (CVE-2024-38271 and CVE-2024-38272) and a 2025 bypass (CVE-2024-10668); the new use-after-free adds to a pattern of repeated probing and patching. The program's own source carried a comment admitting a prior bug in the same spot: "We had a bug here, caused by a race with EncryptionRunner."
Samsung's two bugs were handed to Google and remain under investigation. As of this writing, researchers report no public evidence that any of these flaws have been exploited in the wild.
Range, exposure, and interoperability
The attacks are local, not internet-wide: an attacker must be within roughly 10 to 30 meters or on the same local network. That constraint narrows the threat from a global remote exploit but still allows a single attacker in a crowded place — an airport, train, or conference — to reach many devices at once. The timing is awkward: Google's AirDrop interoperability for Quick Share is rolling out across flagship Android phones, and it works only when an iPhone is set to receive from "Everyone," the exact AirDrop setting these crash bugs require.
What this means for end users, Android OEMs, and security teams
- End users: Install iOS and macOS updates (26.5.2 shipped June 29), avoid the "Everyone" AirDrop/Quick Share visibility setting when not actively receiving files, and update Quick Share on Windows now that Google's fix has landed.
- Android OEMs (Samsung and others): Review Quick Share implementations separately; Samsung's reported handshake and control-message gaps were tested on a Galaxy S23 Ultra and were forwarded to Google for investigation.
- Security teams and app maintainers: Reproduce the researchers' tests using the released tooling, audit parsers and message handlers that accept untrusted input (noting the Foundation plist overflow), and verify that session-level checks are enforced before individual message handlers run.
The corrections have begun — one Apple patch and a Google fix are in place and other issues are in coordinated disclosure — but the pattern the researchers highlight is clear: crashes and bypasses repeatedly appear where network‑facing code parses inputs or applies checks per handler instead of up front. That pattern, plus the public tooling and the inter‑vendor interoperability rollout, leaves a narrow but practical window for attackers in crowded spaces until remaining patches and disclosures complete.
