Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
3DescriptionCVE.org
In handleBondStateChanged of AdapterService.java, there is a possible sensitive information disclosure due to a permissions bypass. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.
Articles & Coverage 1
AnalysisAI
Local information disclosure in Android's Bluetooth stack allows a low-privileged application to bypass permission enforcement in handleBondStateChanged of AdapterService.java, exposing sensitive Bluetooth bonding state data without requiring any user interaction. Affected versions include Android 15, Android 16, and Android 16-qpr2, as confirmed by the June 2026 Android Security Bulletin and EUVD-2026-33779. No public exploit code exists and this vulnerability is not listed in the CISA KEV catalog, placing it in the lower tier of operational priority despite the permission bypass nature of the flaw.
Technical ContextAI
AdapterService.java is a core component of the Android Bluetooth stack responsible for managing device adapter state, including bond (pairing) state transitions broadcast via handleBondStateChanged. The affected CPE is cpe:2.3:a:google:android:*:*:*:*:*:*:*:*, covering Android 15, 16, and 16-qpr2. CWE-269 (Improper Privilege Management) identifies the root cause: the method fails to correctly enforce the privilege level required before exposing bond state change events to calling applications or broadcast receivers. A low-privileged app that should be barred from accessing pairing metadata can intercept or query this state due to missing or inadequately scoped permission checks in the handler's code path.
RemediationAI
Apply the Android Security Bulletin patches dated 2026-06-01, available via the vendor advisory at https://source.android.com/docs/security/bulletin/2026/2026-06-01. OEM device manufacturers (Samsung, Google Pixel, etc.) will distribute this patch through their respective security update channels. The exact patched build version is not independently confirmed from the available data beyond the bulletin reference - consult your device manufacturer's June 2026 security patch level changelog for confirmation. As a compensating control where patching is delayed, restricting installation of untrusted or sideloaded applications reduces exposure, since exploitation requires a locally installed app. Disabling Bluetooth when not in use eliminates the attack surface entirely but has obvious usability trade-offs. Enterprise MDM policies enforcing minimum security patch levels of 2026-06-01 or later provide a detection and enforcement mechanism.
Same weakness CWE-269 – Improper Privilege Management
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33779
GHSA-22vw-7ch9-23fx