A new study from CISPA Helmholtz Center for Information Security reports six pre-authentication vulnerabilities across Apple AirDrop and Google/Samsung Quick Share, the proximity file-transfer protocols that the paper says run on more than 5 billion devices. Most of the flaws let a nearby attacker crash a device or manipulate the transfer protocol rather than steal files, and one bug in the Windows version of Quick Share earned a Google bounty.
The paper, posted to arXiv on June 25, 2026 by Arash Ale Ebrahim and Nils Ole Tippenhauer, describes what the authors call the first cross-platform reverse engineering and protocol-aware fuzzing study of both stacks. Earlier academic work on AirDrop focused mostly on privacy and the underlying wireless link layer; the application layer that actually parses incoming files had not been examined in this depth, according to the authors.
Six vulnerabilities
The researchers catalog six issues they label V1 through V6. Three sit in Apple AirDrop: a denial-of-service crash in the code that routes incoming web requests (V1), a stack overflow triggered by deeply nested XML data in Apple's Foundation framework (V2), and a null-pointer crash in Apple's networking framework (V3). The paper says V2 reaches beyond AirDrop, because any Apple app that parses untrusted XML property lists uses the same vulnerable code, spanning macOS, iOS, watchOS, tvOS, and visionOS.
Two more affect Samsung's Quick Share: the service begins processing protocol messages before the secure handshake finishes (V4), and three of seven message types are accepted after the handshake without the required encryption wrapper (V5). The sixth, and the most serious by the paper's own rating, is a use-after-free in Google Quick Share for Windows caused by a race condition in how the software tracks connecting devices (V6).
The authors are careful about impact. They classify V1 through V5 as denial-of-service or protocol-state manipulation, not remote code execution. The team writes that it tested at least ten ways to skip the user-acceptance prompt and silently pull files onto a target device, and that all of them were rejected, because the auto-accept decision is tied to a hardware-bound Apple ID certificate an attacker cannot forge. In other words, the AirDrop findings are about knocking the service over and disrupting Apple's Continuity features, not quietly receiving files.
The paper describes the Windows use-after-free as a classic vtable-hijack pattern and says exploitation is plausible, noting that Control Flow Guard is disabled in the affected binary. The authors say they confirmed the crash and that Google awarded a bounty, with a CVE identifier pending. They state they did not develop a full working exploit.
Wireless
The threat model in the paper is an attacker within wireless range, typically 10 to 30 meters, using a commodity laptop and no prior relationship with the target. Exposure depends on settings. AirDrop is reachable this way when set to "Everyone for 10 Minutes," and Quick Share when the device is visible to nearby devices. The researchers note that crowded places such as airports, transit hubs, and conferences would let a single attacker reach many devices at once.
Disclosure status
According to the paper, all six issues were reported through the vendors' coordinated disclosure channels. Apple acknowledged V1 through V3 and has fixes in progress, with no CVEs assigned yet. Samsung passed V4 and V5 to Google after determining the affected code originates in Google's Nearby and Quick Share components; those two remain under investigation. Google acknowledged the Windows use-after-free, paid a bounty, and a CVE is pending. The team also released its fuzzing tool, called AirFuzz, along with reproduction artifacts on Zenodo.
Get the ICD Newsletter
Subscribe for source-forward cyber news, OSINT notes, breach updates, and analysis. Have evidence or a lead? Send it to ICD.