Severity by source
AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
In l2c_fcr_clone_buf of l2c_fcr.cc, there is a possible way to trigger controlled heap corruption within the privileged Bluetooth process due to an integer overflow. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
AnalysisAI
Local privilege escalation in the Android Bluetooth stack (Android 14, 15, 16, and 16-qpr2) allows an adjacent attacker to corrupt the heap of the privileged Bluetooth process via an integer overflow in l2c_fcr_clone_buf. No user interaction or additional execution privileges are required, and at time of analysis there is no public exploit identified, though SSVC rates the technical impact as total.
Technical ContextAI
The flaw resides in the Bluetooth host stack's L2CAP Flow Control and Retransmission Mode handling, specifically the l2c_fcr_clone_buf function in l2c_fcr.cc - a component derived from the Fluoride/Gabeldorsche Bluetooth implementation that runs inside Android's privileged Bluetooth daemon. CWE-190 (Integer Overflow or Wraparound) applies: a size calculation used when cloning an L2CAP buffer can wrap around, leading to an undersized allocation followed by an oversized copy that corrupts the heap. The CPE cpe:2.3:a:google:android confirms this is an AOSP-level defect affecting the Android platform code rather than an OEM-specific component, so the vulnerability is expected to be present in any device shipping the affected AOSP Bluetooth stack.
RemediationAI
Patch available per vendor advisory: install the Android security update with a Security Patch Level of 2026-06-01 or later, as published in the June 2026 Android Security Bulletin at https://source.android.com/docs/security/bulletin/2026/2026-06-01, on Android 14, 15, 16, and 16-qpr2 devices. Until the OEM patch reaches a given device, the practical compensating controls are to disable Bluetooth when not in use (eliminates the adjacent attack surface entirely at the cost of losing audio, peripherals, and tethering), avoid installing untrusted apps that request the BLUETOOTH_CONNECT permission (reduces the local PR:L precondition but does not eliminate it), and for managed fleets, use MDM policy to restrict Bluetooth or block sideloading on high-risk devices (trade-off: impacts legitimate Bluetooth peripherals like headsets and car kits). There is no in-stack toggle to disable L2CAP FCR mode for end users.
Same weakness CWE-190 – Integer Overflow or Wraparound
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33805
GHSA-qg59-jjg5-vv4m