Skip to main content

Android Bluetooth CVE-2026-0059

| EUVDEUVD-2026-33784 HIGH
Heap-based Buffer Overflow (CWE-122)
2026-06-01 google_android GHSA-vxfp-cjm9-f32r
8.0
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.0 HIGH
AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
Jun 02, 2026 - 00:23 vuln.today
CVSS changed
Jun 02, 2026 - 00:22 NVD
8.0 (HIGH)
CVE Published
Jun 01, 2026 - 21:14 nvd
UNKNOWN (no severity yet)
CVE Published
Jun 01, 2026 - 21:14 nvd
HIGH 8.0

DescriptionCVE.org

In multiple functions of sdp_discovery.cc, there is a possible way to achieve code execution due to a heap buffer overflow. This could lead to remote (proximal/adjacent) code execution with no additional execution privileges needed. User interaction is not needed for exploitation.

AnalysisAI

Proximity-based remote code execution in Google Android (versions 14, 15, 16, and 16-qpr2) is possible via a heap buffer overflow in multiple functions of sdp_discovery.cc, the Bluetooth Service Discovery Protocol component. An adjacent attacker within Bluetooth range can trigger memory corruption without any user interaction, with no public exploit identified at time of analysis. The flaw resides in the native Bluetooth stack and could yield code execution at the privilege level of the Bluetooth process.

Technical ContextAI

The vulnerable code lives in sdp_discovery.cc, part of Android's Bluetooth stack (historically derived from Fluoride/BlueDroid) which handles Service Discovery Protocol (SDP) exchanges over L2CAP. SDP is used by Bluetooth devices to advertise and discover available services and their attributes during pairing or connection. CWE-122 (Heap-Based Buffer Overflow) indicates that attacker-controlled SDP response or attribute data is copied into a heap allocation without adequate bounds validation, corrupting adjacent heap structures. The CPE (cpe:2.3:a:google:android) confirms the AOSP platform is impacted across Android 14 through 16-qpr2 per EUVD records.

RemediationAI

Apply the Android Security Bulletin patch level 2026-06-01 or later as documented at https://source.android.com/docs/security/bulletin/2026/2026-06-01; on Pixel and supported devices this arrives through the monthly OTA, while OEM-built devices must wait for the vendor to integrate the AOSP fix. Patch available per vendor advisory; an exact tagged AOSP fix version is not independently confirmed from the input data. As compensating controls until patched, disable Bluetooth when not actively in use (eliminates the attack surface entirely but disrupts wearables, audio, and car connectivity), keep the device non-discoverable and avoid pairing with untrusted devices in public spaces (reduces but does not eliminate exposure for already-bonded peers), and on managed fleets enforce MDM policies that restrict Bluetooth in high-risk venues.

Share

CVE-2026-0059 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy