Skip to main content

Android Bluetooth CVE-2026-0097

| EUVDEUVD-2026-33807 HIGH
Protection Mechanism Failure (CWE-693)
2026-06-01 google_android GHSA-jv68-qrpw-49xv
8.0
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.0 HIGH
AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
Jun 02, 2026 - 00:27 vuln.today
CVSS changed
Jun 01, 2026 - 23:22 NVD
8.0 (HIGH)
CVE Published
Jun 01, 2026 - 21:14 nvd
UNKNOWN (no severity yet)
CVE Published
Jun 01, 2026 - 21:14 nvd
HIGH 8.0

DescriptionCVE.org

In multiple locations, there is a possible way to bypass user interaction when pairing an LE device due to a logic error. This could lead to remote (proximal/adjacent) escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

AnalysisAI

Privilege escalation in Google Android Bluetooth Low Energy (LE) pairing affects Android 14, 15, 16, and 16-qpr2, where a logic error allows an adjacent attacker to bypass the user interaction step normally required during LE device pairing. Successful exploitation grants elevated privileges without requiring the victim to approve the pairing prompt, and per SSVC the technical impact is total. No public exploit identified at time of analysis.

Technical ContextAI

The flaw resides in Android's Bluetooth Low Energy pairing flow, which is governed by the Security Manager Protocol (SMP) and is supposed to enforce user-confirmed association models such as Numeric Comparison, Passkey Entry, or Just Works confirmation before establishing a bonded, authenticated link. CWE-693 (Protection Mechanism Failure) maps to the description: the pairing logic exists but a code path skips or mishandles the user-interaction check, so an attacker can negotiate a bond that the OS subsequently treats as user-approved. Because the CPE indicates cpe:2.3:a:google:android across multiple major releases, the defect is in Android's core Bluetooth stack (likely AOSP Bluetooth/Gabeldorsche or the BTA/SMP layer) rather than an OEM-specific component, meaning all downstream OEM builds based on these AOSP branches inherit the bug until they pick up the June 2026 bulletin patches.

RemediationAI

Apply the Android security patch level 2026-06-01 or later from the June 2026 Android Security Bulletin (https://source.android.com/docs/security/bulletin/2026/2026-06-01); Google has published fixes in AOSP that downstream OEMs (Samsung, Pixel, Xiaomi, etc.) must integrate into their device builds, so users should install the carrier/OEM update as soon as it is offered. Until the patch is installed, compensating controls include disabling Bluetooth when not in use (eliminates the attack surface entirely but breaks wearables, audio, and car connectivity), keeping the device non-discoverable and avoiding initiating pairing in untrusted public environments, and for managed fleets using MDM policies to disable Bluetooth pairing on high-risk devices or restrict pairing to pre-approved peripheral MAC addresses (reduces usability for end users). Patch status: patch available per vendor advisory (Android Security Bulletin 2026-06-01); exact AOSP fix commit not enumerated in the provided references.

Share

CVE-2026-0097 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy