AirDrop and Quick Share: Six Vulnerabilities in Proximity Transfer Protocols Expose Over 5 Billion Devices to Attacks From 30 Metres Away With No User Interaction
Eric Serrano Bustos
In late June 2026, researchers from CISPA Helmholtz Center for Information Security, Arash Ale Ebrahim and Nils Ole Tippenhauer, published the results of a systematic study of Apple and Google’s proximity transfer protocols. The work, presented at the WOOT 2026 workshop, identified six vulnerabilities in AirDrop (Apple) and Quick Share (Google and Samsung) that together expose more than 5 billion devices running iOS, macOS, Android and Windows to attacks launched from wireless proximity, without the target user doing anything or even knowing they are being attacked. The three AirDrop flaws allow an unauthenticated attacker, with a laptop and within 30 metres, to repeatedly and continuously crash Apple’s transfer service and all associated continuity services: AirPlay, Handoff, Universal Clipboard, Continuity Camera and NameDrop. In Quick Share, the researchers found two authentication bypasses on Android and a use-after-free in the Windows client with escalation potential beyond the crash. Disclosure was responsible to Apple, Google and Samsung. Apple has already patched one of the three AirDrop flaws. The rest remains in coordinated remediation.
What do we know about the six vulnerabilities in AirDrop and Quick Share?
Facts documented by CISPA, Help Net Security, The Hacker News, Security Boulevard, Cybernews and Privacy Guides:
Research: Arash Ale Ebrahim and Nils Ole Tippenhauer from CISPA performed full reverse engineering of the application-layer protocols of AirDrop and Quick Share, built a custom fuzzer called AIRFUZZ for AirDrop, and completed targeted manual analysis of Quick Share on Android and Windows.
Scope: Apple reports over 2.2 billion active devices running sharingd. Google reports over 3 billion active Android devices with Quick Share as the default sharing mechanism on Samsung and available system-wide on Android. Total: over 5 billion devices on macOS, iOS, Android and Windows.
V1 — Crash from unrecognised HTTP path in AirDrop (zero-click): the sharingd daemon uses a Swift router that calls fatalError when it receives an HTTP request to an unknown URI. An attacker can send a single POST request to an unrecognised path on the AirDrop port and immediately crash sharingd, bringing down AirDrop, AirPlay, Handoff, Universal Clipboard, Continuity Camera and NameDrop. The attack is zero-click, requires no user action, and can be repeated indefinitely.
V2 — Stack overflow from nested XML plist in AirDrop (zero-click): the XML scanner in Foundation.framework parses nested dict structures with no depth limit. An AirDrop Discover request with around 180–200 nesting levels exhausts the stack and causes a crash. The attack affects not just sharingd but Foundation.framework itself, extending the attack surface to macOS, iOS, watchOS, tvOS and visionOS.
V3 — Null-pointer dereference in Network.framework HTTP/1.1 (AirDrop): an HTTP request with malformed framing, such as negative chunk sizes or conflicting Content-Length headers, forces the HTTP parser into an inconsistent state and triggers a null-pointer dereference, crashing the daemon and all associated continuity services again.
V4 and V5 — UKEY2 authentication bypass in Quick Share Android (Samsung): the Quick Share Android implementation processes some application frames before completing the UKEY2 handshake, allowing a nearby attacker to interact with the protocol state machine with attacker-controlled content before cryptographic authentication is established. Additionally, certain control frames are accepted in plaintext after UKEY2 when they should be protected by the SecureMessage encryption layer. Samsung transferred both vulnerabilities to Google, where they remain under investigation.
V6 — Use-after-free in Quick Share for Windows (Google): a race condition in the endpoint lifecycle management of Quick Share for Windows causes a use-after-free. Google acknowledged the validity of the flaw, paid a bug bounty, and has a fix available. The CVE is pending assignment. The bug is potentially exploitable beyond a crash depending on heap layout and system mitigations.
Patch status: Apple has patched V1 with a CVE assigned but advisory private for now. V2 and V3 remain in coordinated remediation with no public CVE. Google has a fix for V6 with CVE pending. V4 and V5 remain under investigation at Google. No confirmed active exploitation.
Exploitation condition: for the AirDrop flaws, the attacker needs the target device to have AirDrop set to “Everyone” or “Everyone for 10 Minutes”. For Quick Share, the device must be visible to nearby devices.
Why corporate environments are the most exposed scenario
AirDrop and Quick Share vulnerabilities are proximity attacks, not network attacks. The attacker does not need to compromise the organisation’s perimeter or send a phishing email: they need to be physically nearby. That makes corporate environments particularly vulnerable for three reasons:
Offices, meeting rooms and coworking spaces concentrate dozens of Apple devices within 30 metres. An employee with AirDrop set to “Everyone” at a client meeting, a sector conference, an airport en route to a corporate event, or simply in an open-plan office, falls within the attack radius of anyone in that space. In densely populated environments, a single attacker can simultaneously reach hundreds of devices.
The services that go down are not just AirDrop. When V1 crashes sharingd, it does not just stop file transfers: it kills AirPlay (the presentation on the meeting room screen), Handoff (continuity between an employee’s Mac and iPhone), Universal Clipboard (the shared clipboard across Apple devices, which may contain sensitive data copied seconds earlier), Continuity Camera and NameDrop. An attack mid-presentation or mid-negotiation has real operational impact, not just a technical one.
Many corporate devices have AirDrop set to “Everyone” without anyone having deliberately configured it that way. The default setting varies by iOS version and MDM policy, but in many environments without an explicit fleet policy on AirDrop, employees enable it occasionally to receive files and never disable it. Auditing the real exposure of a mid-sized organisation’s device fleet can produce surprising results.
How the attacks work: from a malformed request to a cascading crash
The attacker, with an ordinary laptop and Wi-Fi connectivity, identifies Apple devices with AirDrop active in the environment. AirDrop uses Apple’s AWDL protocol for nearby device discovery. Devices with AirDrop set to “Everyone” are visible and reachable with no prior authentication.
The attacker sends a single HTTP POST request to the AirDrop listener with an unrecognised URI and a non-empty body. No knowledge of the victim or credentials are required. A single request of a few bytes is enough.
The sharingd Swift router calls fatalError upon receiving an unknown path, abruptly terminating the process. sharingd simultaneously manages AirDrop, AirPlay, Handoff, Universal Clipboard, Continuity Camera and NameDrop.
All those services become inoperative on the target device simultaneously. The user has done nothing, has not accepted any transfer, has not even seen a notification.
The attacker can repeat the request every few seconds to keep services down continuously, preventing sharingd from restarting and blocking the user from recovering AirDrop, AirPlay and other continuity services as long as the attacker stays within range.
Key lessons and immediate mitigation for businesses
Immediate mitigation (available without waiting for patches):
Set AirDrop to “Contacts Only” across the entire corporate Apple device fleet. The three AirDrop flaws (V1, V2, V3) are only reachable when the device is set to “Everyone” or “Everyone for 10 Minutes”. Switching to “Contacts Only” eliminates the attack surface for all three vulnerabilities without losing transfer functionality between colleagues.
For users who need to receive from anyone: enable AirDrop in “Everyone” mode only during the specific transfer and disable it immediately afterward. Do not leave it permanently active in uncontrolled environments.
On Quick Share for Android: set visibility to “Contacts Only” or disable Quick Share when not actively in use in corporate environments.
On Quick Share for Windows: update the client to the latest version. Google has a fix available for V6 (the use-after-free). Do not leave Quick Share in permanently visible mode in shared work environments.
For IT and security managers:
Establish an explicit MDM policy on the AirDrop visibility mode on all managed Apple devices. Without a fleet policy setting this centrally, the configuration is left to each employee.
Audit the current state of AirDrop on the managed device fleet. Tools like Jamf or Microsoft Intune allow querying and applying AirDrop configuration at scale.
Include AirDrop and Quick Share in the corporate device usage policy with clear instructions on when to enable them and with what setting.
Apply Apple’s patches as soon as they are available. Apple already has a fix for V1 being distributed. Keeping iOS and macOS updated is the only complete long-term solution.
Cybersecurity as a strategic priority
The AirDrop and Quick Share vulnerabilities are a reminder that the corporate attack surface is not limited to the network perimeter or office endpoints: it includes every device employees carry with them. An employee with an iPhone set to AirDrop “Everyone” at a sector conference, at a client, at an airport, or in a waiting room can be targeted by an attack that requires no phishing, no stolen credentials, no server vulnerability. It requires only physical proximity. For organisations with Apple and Android device fleets, today’s question is not whether the CISPA patches are applied, but whether they have an MDM policy controlling AirDrop visibility mode across the entire fleet, and whether their employees know that AirDrop set to “Everyone” in a public space is an active attack surface.
Apolo Cybersecurity: mobile device security posture review and MDM policies
At Apolo Cybersecurity we help organisations review and strengthen the security of their corporate mobile device fleet: auditing the AirDrop and Quick Share configuration status across managed devices, designing MDM policies for centralised management of proximity protocol visibility, assessing Apple and Android device exposure in high-risk environments (conferences, travel, coworking spaces), and updating corporate device usage policies to include proximity transfer protocols.
If your organisation has a managed Apple device fleet and does not have an explicit MDM policy on the AirDrop visibility mode, the CISPA research is the signal to establish it before the next patch arrives.