Skip to main content

Google Android CVE-2026-0050

| EUVDEUVD-2026-33779 LOW
Improper Privilege Management (CWE-269)
2026-06-01 google_android GHSA-22vw-7ch9-23fx
3.3
CVSS 3.1 · NVD

Severity by source

NVD PRIMARY
3.3 LOW
AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

3
Analysis Generated
Jun 02, 2026 - 00:26 vuln.today
CVSS changed
Jun 02, 2026 - 00:22 NVD
3.3 (LOW)
CVE Published
Jun 01, 2026 - 21:14 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

In handleBondStateChanged of AdapterService.java, there is a possible sensitive information disclosure due to a permissions bypass. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.

AnalysisAI

Local information disclosure in Android's Bluetooth stack allows a low-privileged application to bypass permission enforcement in handleBondStateChanged of AdapterService.java, exposing sensitive Bluetooth bonding state data without requiring any user interaction. Affected versions include Android 15, Android 16, and Android 16-qpr2, as confirmed by the June 2026 Android Security Bulletin and EUVD-2026-33779. No public exploit code exists and this vulnerability is not listed in the CISA KEV catalog, placing it in the lower tier of operational priority despite the permission bypass nature of the flaw.

Technical ContextAI

AdapterService.java is a core component of the Android Bluetooth stack responsible for managing device adapter state, including bond (pairing) state transitions broadcast via handleBondStateChanged. The affected CPE is cpe:2.3:a:google:android:*:*:*:*:*:*:*:*, covering Android 15, 16, and 16-qpr2. CWE-269 (Improper Privilege Management) identifies the root cause: the method fails to correctly enforce the privilege level required before exposing bond state change events to calling applications or broadcast receivers. A low-privileged app that should be barred from accessing pairing metadata can intercept or query this state due to missing or inadequately scoped permission checks in the handler's code path.

RemediationAI

Apply the Android Security Bulletin patches dated 2026-06-01, available via the vendor advisory at https://source.android.com/docs/security/bulletin/2026/2026-06-01. OEM device manufacturers (Samsung, Google Pixel, etc.) will distribute this patch through their respective security update channels. The exact patched build version is not independently confirmed from the available data beyond the bulletin reference - consult your device manufacturer's June 2026 security patch level changelog for confirmation. As a compensating control where patching is delayed, restricting installation of untrusted or sideloaded applications reduces exposure, since exploitation requires a locally installed app. Disabling Bluetooth when not in use eliminates the attack surface entirely but has obvious usability trade-offs. Enterprise MDM policies enforcing minimum security patch levels of 2026-06-01 or later provide a detection and enforcement mechanism.

Share

CVE-2026-0050 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy