Researchers from the CISPA Helmholtz Center for Information Security have identified six security flaws in Apple’s AirDrop and Google/Samsung’s Quick Share, the wireless file-sharing features used across billions of devices.
An attacker within wireless range (approximately 10–30 meters) can crash the sharingd service on a Mac or iPhone set to receive from “Everyone” — with no tap or user prompt required. Since sharingd also handles AirPlay, Handoff, Universal Clipboard, Continuity Camera, and NameDrop, one crash takes the entire suite down. Sending crash messages on a loop, about one every two seconds, keeps the features disabled for as long as the attacker continues.
Three AirDrop Bugs
The simplest of the three AirDrop flaws needs only a single malformed request sent to a device with AirDrop visibility set to “Everyone.” The broadest bug is a stack overflow in Foundation’s XML property list parser, triggered by a small file with around 200 nested layers. Any Apple app that opens an untrusted file of that type could hit the same parser path across macOS, iOS, watchOS, tvOS, and visionOS.
Quick Share Bugs and a Fix That Broke
On the Android side, two flaws in Samsung’s Quick Share allow an attacker to bypass session handshake protections. One lets an unverified device start driving the connection before encryption is set up. Another allows control messages to pass unencrypted even after a secure session exists.
Most critically, Google’s Quick Share for Windows contains a use-after-free memory bug triggered when two connections collide at the right instant. The researchers confirm the crash path is potentially exploitable because Control Flow Guard is disabled in the app. Google has acknowledged the flaw, paid a bounty, and landed a fix — though its CVE is still pending.
Patch Status
Apple patched one of the three AirDrop bugs in iOS and macOS 26.5.2 (shipped June 29). Two others remain in coordinated disclosure. Samsung’s bugs are under investigation by Google. No public reports of exploitation have surfaced.
The research also lands at an awkward moment — Google’s AirDrop interoperability for Quick Share is already rolling out across flagship Android phones, and it only works when the iPhone is set to receive from “Everyone,” the exact setting that exposes the AirDrop crash bugs.
Mitigation: Keep AirDrop on “Contacts Only” or turned off when not in active use. Leave Quick Share out of “Everyone” visibility.