Researchers from the CISPA Helmholtz Center for Information Security have uncovered six security flaws in Apple’s AirDrop and Google/Samsung’s Quick Share wireless file-sharing features. The vulnerabilities allow an attacker within wireless range (approximately 10-30 meters) to crash the sharing service on Mac or iPhone devices set to receive from ‘Everyone,’ bypass session checks on Samsung devices, and trigger a potentially exploitable use-after-free crash in Google’s Quick Share for Windows app.
The three AirDrop bugs all crash the sharingd background service, which also handles AirPlay, Handoff, Universal Clipboard, Continuity Camera, and NameDrop. One flaw requires only a single malformed request to a device with AirDrop set to ‘Everyone.’ Two others are broader, including a stack overflow in Foundation’s XML property list parser that could affect multiple Apple platforms. Apple has patched one bug (CVE assigned but advisory not yet public) and is coordinating disclosure on the other two.
On Android, two Samsung Quick Share flaws allow an unverified device to initiate a connection before encryption is set up and let control messages pass unencrypted. Google’s Quick Share for Windows has a use-after-free memory bug triggered by simultaneous connections, with Control Flow Guard disabled in the app. Google paid a bounty and has landed a code fix (CVE pending). This is not the first such issue; previous CVEs include CVE-2024-38271, CVE-2024-38272, and CVE-2024-10668.
No public exploitation has been reported. Users are advised to install the latest Apple updates (iOS and macOS 26.5.2), keep AirDrop on ‘Contacts Only’ or off, and update Quick Share for Windows. The findings come as Google’s AirDrop interoperability for Quick Share rolls out, which requires the iPhone to be set to ‘Everyone’—the exact setting that exposes the AirDrop crash bugs.
CVEs: CVE-2024-38271, CVE-2024-38272, CVE-2024-10668, CVE-2026-20245
Companies: Apple, Google, Samsung, CISPA Helmholtz Center for Information Security, SafeBreach
Products: AirDrop, Quick Share, macOS, iOS, Windows, Galaxy S23 Ultra
Original source: thehackernews.com