Exploits

AirDrop Quick Share Flaws Crash Nearby Devices

Published  ·  6 min read

An attacker within wireless range, with just a laptop and no prior connection, can crash the sharing service on a Mac or iPhone set to receive from anyone. No tap. No prompt. No interaction.

That is the finding from two researchers who discovered six security flaws in AirDrop and Quick Share, the wireless features that beam files between nearby devices.

The tested bugs hit specific implementations and versions, but the two features run inside an ecosystem of more than five billion active Apple and Android devices. The fixes have already started. Apple has patched one of the three AirDrop bugs. Google has landed a code fix for the Windows Quick Share flaw.

Three Ways to Knock Out Apple's Sharing

The AirDrop Quick Share security vulnerabilities in Apple's implementation all end in the same crash: they take down sharingd, the background service on macOS and iOS that handles AirDrop. 

The catch is that this service also runs:

1. AirPlay
2. Handoff
3. Universal Clipboard
4. Continuity Camera
5. NameDrop

One crash takes the whole set down together.

The simplest of the three AirDrop Quick Share security vulnerabilities needs only a single malformed request sent to a device with AirDrop set to receive from Everyone. Send those crash messages on a loop about one every two seconds and the features stay down for as long as the attacker keeps going. No legitimate AirDrop transfer gets through while the attack runs.

Two of the three are more than AirDrop bugs. They live in shared Apple frameworks. The broadest is a stack overflow in Foundation's XML property list parser, triggered by a small file with around 200 nested layers.

Any Apple app that opens an untrusted file of that type could hit the same parser path across macOS, iOS, watchOS, tvOS, and visionOS. The researchers reproduced the AirDrop crashes on macOS 15.7.4, macOS 26.3, iOS 18.x, and iOS 26.3. An older iOS 16 build was not affected.

The Quick Share Bugs

On Android, two flaws in Samsung's Quick Share let an attacker skip past the handshake that is supposed to lock down a session. One lets an unverified device start driving the connection before any encryption is set up. The other lets some control messages pass unencrypted even after a secure session exists.

An attacker on the same Wi-Fi network could use that gap to force a connection into an "accepted" state, keep it alive, or make the server return attacker-supplied IP and port values. Neither was shown to steal files, but both defeat the protections the system promises.

The researchers tested these on a Galaxy S23 Ultra. Other Android makers' versions of Quick Share need separate checking.

The Windows Flaw

The most serious of the AirDrop Quick Share security vulnerabilities is in Google's Quick Share for Windows. It is a memory bug that surfaces when two connections collide at the right instant, leaving the program using a chunk of memory it has already thrown away.

That is the kind of bug that can sometimes be turned into running attacker code. The researchers say the path is plausible here because a Windows defense called Control Flow Guard is switched off in the app. They confirmed a crash but did not build a working exploit.

Google acknowledged it, paid a bounty, and has now landed a fix. The CVE is still pending.

A Pattern of Patching and Probing

It is not the first time Quick Share for Windows has been here. SafeBreach reported a 10-bug code-execution chain in 2024 (CVE-2024-38271 and CVE-2024-38272). They returned in 2025 to bypass Google's fixes (CVE-2024-10668).

The new use-after-free adds another entry to a pattern of the same component being patched and probed again.

The detail that stings: the program's own source code carried a comment admitting a prior bug in that exact spot, reading "We had a bug here, caused by a race with EncryptionRunner." The fix written to handle it reintroduced the same kind of flaw.

The Risk Is Local, Not Remote

The key limit is range. These are local attacks, not internet-wide ones. The attacker has to be within about 10 to 30 meters or on the same local network.

While less sweeping than a remote bug, a single attacker in a crowded place like an airport, train, or conference can still reach many devices at once. The researchers tested only their own hardware and have released their tools openly so other security teams can reproduce the findings.

What to Do

On a Mac or iPhone, install Apple's latest update (iOS and macOS 26.5.2 shipped June 29). Keep AirDrop on "Contacts Only" or off rather than "Everyone," which is the setting these flaws need.

On Quick Share, leave it out of "Everyone" visibility when you are not actively receiving a file. Update the Windows app now that Google's fix has landed.

The Awkward Timing

The AirDrop Quick Share security vulnerabilities land at an awkward moment. Google's AirDrop interoperability for Quick Share is already rolling out across flagship Android phones. It only works when the iPhone is set to receive from "Everyone" the exact setting that exposes the AirDrop crash bugs.

The Bottom Line

The AirDrop Quick Share security vulnerabilities show that two independently built systems failed the same way: crashes in code that faces the network, and security checks bolted onto individual message handlers instead of being enforced up front.

Update your Apple devices. Keep AirDrop on Contacts Only. Update Quick Share for Windows. And remember: a stranger next to you can crash your sharing service without a single tap.

FAQ Section

What are the AirDrop Quick Share vulnerabilities?

They are six security flaws in Apple AirDrop and Google Quick Share that allow nearby attackers to crash the sharing service on devices set to receive from anyone.

Which devices are affected?

Apple devices running macOS and iOS, Samsung Galaxy devices with Quick Share, and Google Quick Share for Windows are affected. The bugs hit specific implementations and versions.

How does the AirDrop attack work?

A single malformed request sent to a device with AirDrop set to "Everyone" crashes the sharingd service. Sending these requests on a loop keeps the service down.

What is the Quick Share Windows flaw?

It is a use-after-free memory bug that surfaces when two connections collide. It could potentially be exploited for code execution.

What should I do?

Install Apple's latest update (iOS and macOS 26.5.2). Keep AirDrop on "Contacts Only." Update Quick Share for Windows. Avoid "Everyone" visibility when not actively receiving files.

Have these vulnerabilities been patched?

Apple patched one of three AirDrop bugs. Google fixed the Windows Quick Share flaw. Samsung's two bugs are still under investigation.

Source: The Hacker News
Professional Services

Explore Our Cybersecurity Services

Our insights are backed by hands-on service delivery. If your business needs professional cybersecurity support, our UK-based specialists are ready to help.

© 2016 – 2026 Red Secure Tech Ltd. Registered in England and Wales — Company No: 15581067