While the official Over-The-Air (OTA) packages have not yet hit Xiaomi’s servers, the Android May 2026 Security Bulletin has been published, giving us an early look at what to expect. This upcoming release is shaping up to be a critical “quality over quantity” update. Rather than a laundry list of minor tweaks, this patch focuses heavily on closing a severe system-level vulnerability.
The Threat of CVE-2026-0073
The most significant element of the May 2026 update is the remediation of a flaw tracked as CVE-2026-0073, located deep within the Android System component.
-
Vulnerability Type: Remote Code Execution (RCE).
-
Severity Level: Critical.
-
The Technical Threat: This exploit is particularly dangerous because it requires no user interaction. An attacker in close physical proximity (adjacent network/proximal range) can exploit this flaw to execute code with “shell user” privileges. In practical terms, your device could be compromised while sitting untouched in your pocket, making this a true “zero-click” threat.
Additionally, the bulletin highlights that this critical flaw also impacts the adbd (Android Debug Bridge daemon). Fortunately, because adbd is managed under Google’s Project Mainline, some devices may receive partial protection via Google Play System Updates even before Xiaomi pushes the full system OTA.
Once Xiaomi finalizes the integration, the patch will be distributed across the board to devices running Android 14, 15, and 16 frameworks. We expect the rollout to span across both Xiaomi HyperOS 2 and the newer Xiaomi HyperOS 3.
Based on standard update cycles, the first wave will likely prioritize flagship and premium mid-range devices across all regions (Global, EEA, India, and China). When the update arrives, you will be looking for the ro.build.version.security_patch string to read 2026-05-01.
Market Impact and Why You Must Update
Because CVE-2026-0073 bypasses the need for social engineering—meaning you don’t have to be tricked into installing a malicious APK or clicking a phishing link—applying this update the moment it drops is non-negotiable.
Whether you are using a budget-friendly device or a $1,000+ USD premium flagship powered by the latest Snapdragon 8 Elite, the underlying system architecture shares the same vulnerability. Ensuring your device is patched guarantees that your personal data, banking apps, and Xiaomi HyperConnect ecosystem integrations remain entirely secure from proximity-based intrusions.
Yeah… The delay on updating the 13T is starting to become an issue.
When will Xiaomi Pad 7 HyperOS 3.1 come? I am in Turkey.
My POCO F3 is having certification issues with the Google security update, preventing me from using NFC. This delay is affecting my business because I can’t charge my customers using Tap.
Xiaomi still hasn’t provided updates for the 13t device. And we call them a top brand. They could just stop providing these updates altogether.