Severity by source
AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
In multiple locations, there is a possible way to bypass user interaction when pairing an LE device due to a logic error. This could lead to remote (proximal/adjacent) escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
AnalysisAI
Privilege escalation in Google Android Bluetooth Low Energy (LE) pairing affects Android 14, 15, 16, and 16-qpr2, where a logic error allows an adjacent attacker to bypass the user interaction step normally required during LE device pairing. Successful exploitation grants elevated privileges without requiring the victim to approve the pairing prompt, and per SSVC the technical impact is total. No public exploit identified at time of analysis.
Technical ContextAI
The flaw resides in Android's Bluetooth Low Energy pairing flow, which is governed by the Security Manager Protocol (SMP) and is supposed to enforce user-confirmed association models such as Numeric Comparison, Passkey Entry, or Just Works confirmation before establishing a bonded, authenticated link. CWE-693 (Protection Mechanism Failure) maps to the description: the pairing logic exists but a code path skips or mishandles the user-interaction check, so an attacker can negotiate a bond that the OS subsequently treats as user-approved. Because the CPE indicates cpe:2.3:a:google:android across multiple major releases, the defect is in Android's core Bluetooth stack (likely AOSP Bluetooth/Gabeldorsche or the BTA/SMP layer) rather than an OEM-specific component, meaning all downstream OEM builds based on these AOSP branches inherit the bug until they pick up the June 2026 bulletin patches.
RemediationAI
Apply the Android security patch level 2026-06-01 or later from the June 2026 Android Security Bulletin (https://source.android.com/docs/security/bulletin/2026/2026-06-01); Google has published fixes in AOSP that downstream OEMs (Samsung, Pixel, Xiaomi, etc.) must integrate into their device builds, so users should install the carrier/OEM update as soon as it is offered. Until the patch is installed, compensating controls include disabling Bluetooth when not in use (eliminates the attack surface entirely but breaks wearables, audio, and car connectivity), keeping the device non-discoverable and avoiding initiating pairing in untrusted public environments, and for managed fleets using MDM policies to disable Bluetooth pairing on high-risk devices or restrict pairing to pre-approved peripheral MAC addresses (reduces usability for end users). Patch status: patch available per vendor advisory (Android Security Bulletin 2026-06-01); exact AOSP fix commit not enumerated in the provided references.
Same weakness CWE-693 – Protection Mechanism Failure
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33807
GHSA-jv68-qrpw-49xv