Full Report
Two researchers have found six security flaws in AirDrop and Quick Share, the wireless features that beam files between nearby devices with no cables or shared network. An attacker within wireless range, with just a laptop and no prior connection, can crash the sharing service on a Mac or iPhone set to receive from anyone, with no tap or prompt. The same research found Quick Share flaws that
Analysis Summary
# Vulnerability: Multi-Platform AirDrop and Quick Share Protocol Flaws
## CVE Details
- **CVE ID:** CVE-2024-38271, CVE-2024-38272, CVE-2024-10668 (Previous related); **Pending** (New 2026 Apple/Google discoveries)
- **CVSS Score:** Not yet assigned (Preliminary: High)
- **CWE:** CWE-121 (Stack-based Buffer Overflow), CWE-416 (Use After Free), CWE-362 (Race Condition)
## Affected Systems
- **Products:**
- **Apple:** macOS, iOS, watchOS, tvOS, visionOS (AirDrop/Foundation Framework)
- **Google:** Quick Share for Windows
- **Samsung:** Quick Share (Android implementation)
- **Versions:**
- macOS 15.7.4, macOS 26.3
- iOS 18.x, iOS 26.3
- Google Quick Share for Windows (version prior to June 2026 fix)
- Samsung Galaxy S23 Ultra (and likely others)
- **Configurations:** Devices with AirDrop set to receive from "Everyone" or devices on the same Wi-Fi network for Quick Share.
## Vulnerability Description
Researchers discovered six flaws across two primary wireless sharing protocols:
1. **Apple AirDrop:** A stack overflow exists in the Foundation framework's XML property list parser. By sending a small file with approximately 200 nested layers, an attacker can crash the `sharingd` service. This service manages AirDrop, AirPlay, Handoff, and NameDrop.
2. **Quick Share (Windows):** A Use-After-Free (UAF) memory bug triggered by a race condition when two connections collide. The risk is heightened because Control Flow Guard (CFG) was found to be disabled in the app.
3. **Quick Share (Samsung):** Logic flaws allow unverified devices to skip handshakes and send unencrypted control messages, potentially forcing a connection into an "accepted" state.
## Exploitation
- **Status:** PoC available (developed by CISPA researchers); No known exploitation in the wild.
- **Complexity:** Medium (Requires timing for race conditions or proximity for AirDrop).
- **Attack Vector:** Adjacent (Wireless range/Wi-Fi).
## Impact
- **Confidentiality:** Low (No direct file theft demonstrated, but session checks were bypassed).
- **Integrity:** Medium (Ability to manipulate connection states).
- **Availability:** High (Persistent Denial of Service; crashing `sharingd` disables multiple ecosystem features).
## Remediation
### Patches
- **Apple:** One of three AirDrop bugs is patched (specific version/CVE pending public advisory).
- **Google:** A code fix has been merged for the Windows application. Users should update to the latest version of Quick Share for Windows.
- **Samsung:** Currently under investigation; no patch currently confirmed.
### Workarounds
- Set AirDrop visibility to **"Receiving Off"** or **"Contacts Only"** to prevent unsolicited malformed requests.
- Disable Quick Share when not in use, especially in public wireless environments.
## Detection
- **Indicators of Compromise:** Repeated crashing of the `sharingd` process on Apple devices.
- **Detection Methods:** Monitor system logs for frequent restarts of sharing services or unusual XML parsing errors in the Foundation framework.
## References
- **Research Paper:** hxxps://arxiv[.]org/abs/2606.26967
- **Vendor Advisories:** (Pending publication by Apple and Google)
- **Related News:** hxxps://thehackernews[.]com/2026/06/airdrop-and-quick-share-flaws-let.html