CVE-2026-26208
Published: 13 February 2026
Summary
CVE-2026-26208 is a high-severity Deserialization of Untrusted Data (CWE-502) vulnerability. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious File (T1204.002); ranked in the top 22.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely identification, reporting, and correction of software flaws like insecure deserialization in ADB Explorer to prevent RCE exploitation.
Enforces validation of information inputs such as the App.txt JSON file to reject malicious gadget chains during deserialization.
Mandates secure configuration settings for system components, including disabling unsafe deserialization options like TypeNameHandling.Objects in Newtonsoft.Json.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Insecure deserialization of the local App.txt settings file (via Newtonsoft.Json TypeNameHandling) directly enables arbitrary code execution when a user launches the legitimate ADB Explorer application, mapping to user execution via a malicious file placed by an attacker.
NVD Description
ADB Explorer is a fluent UI for ADB on Windows. Prior to Beta 0.9.26020, ADB Explorer is vulnerable to Insecure Deserialization leading to Remote Code Execution. The application attempts to deserialize the App.txt settings file using Newtonsoft.Json with TypeNameHandling set…
more
to Objects. This allows an attacker to supply a crafted JSON file containing a gadget chain (e.g., ObjectDataProvider) to execute arbitrary code when the application launches and subsequently saves its settings. This vulnerability is fixed in Beta 0.9.26020.
Deeper analysisAI
CVE-2026-26208 is an insecure deserialization vulnerability (CWE-502) affecting ADB Explorer, a Windows graphical user interface for the Android Debug Bridge (ADB) tool. Versions prior to Beta 0.9.26020 deserialize the App.txt settings file using Newtonsoft.Json with TypeNameHandling set to Objects, enabling attackers to inject malicious payloads. This flaw allows remote code execution when the application loads and processes a crafted JSON file containing a gadget chain, such as ObjectDataProvider.
The vulnerability requires local access (AV:L) with low attack complexity (AC:L), no privileges (PR:N), and user interaction (UI:R), as indicated by its CVSS v3.1 base score of 7.8. A local attacker can exploit it by replacing or modifying the App.txt file with a malicious JSON payload in a location accessible to the application. When a user launches ADB Explorer, the deserialization triggers arbitrary code execution in the context of the application, potentially granting high-impact confidentiality, integrity, and availability compromises to the attacker.
The issue is addressed in ADB Explorer Beta 0.9.26020, as detailed in the project's GitHub security advisory (GHSA-49qx-wpxj-p4mh), release notes, and the fixing commit. Security practitioners should advise users to update to the patched version and avoid running untrusted or modified settings files.
Details
- CWE(s)