Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
In bta_jv_rfcomm_connect of bta_jv_act.cc, there is a possible bypass of bonding for a secure connection due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
AnalysisAI
Local privilege escalation in the Android Bluetooth stack (versions 14, 15, 16, and 16-qpr2) allows an attacker with low privileges to bypass the bonding requirement for secure RFCOMM connections via a logic flaw in bta_jv_rfcomm_connect. No user interaction is required, and no public exploit identified at time of analysis, though Google has issued a fix in the June 2026 Android Security Bulletin.
Technical ContextAI
The flaw resides in bta_jv_act.cc, part of the Bluetooth Adaptation (BTA) Java/JNI layer in Android's Fluoride/Bluedroid stack that brokers RFCOMM (Radio Frequency Communication) socket connections between Java apps and the native Bluetooth controller. RFCOMM is the serial-port emulation protocol over L2CAP commonly used by SPP, HFP, and PBAP profiles, and bonding is the pairing process that establishes a long-term shared key enabling encrypted, authenticated links. CWE-693 (Protection Mechanism Failure) indicates the code path that should enforce bonding before permitting a 'secure' RFCOMM connection contains a logic error allowing that check to be skipped, so a 'secure' connection is established without the cryptographic prerequisite. CPE cpe:2.3:a:google:android scopes the issue to Google's Android platform code (AOSP Bluetooth) rather than vendor radio firmware.
RemediationAI
Apply the June 2026 Android security patch level (2026-06-01) or later, which contains Google's fix for the bta_jv_rfcomm_connect bonding-bypass; the advisory is published at https://source.android.com/docs/security/bulletin/2026/2026-06-01 and OEM updates will roll out subsequently - devices past end-of-life for security updates remain exposed. No exact AOSP tag is cited in the provided data, so confirm the specific build fingerprint via your device vendor's bulletin. As a compensating control until patches arrive, restrict installation of untrusted apps (Play Protect enabled, sideloading disabled via MDM), and for high-assurance deployments disable Bluetooth when not in use or use MDM policy to block apps from holding BLUETOOTH_CONNECT permission, accepting the trade-off that legitimate Bluetooth accessories (headsets, wearables, car kits) will not function while the restriction is in place.
Same weakness CWE-693 – Protection Mechanism Failure
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33776
GHSA-8qpr-7jp9-rxm6