Severity by source
AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
In multiple functions of sdp_discovery.cc, there is a possible way to achieve code execution due to a heap buffer overflow. This could lead to remote (proximal/adjacent) code execution with no additional execution privileges needed. User interaction is not needed for exploitation.
AnalysisAI
Proximity-based remote code execution in Google Android (versions 14, 15, 16, and 16-qpr2) is possible via a heap buffer overflow in multiple functions of sdp_discovery.cc, the Bluetooth Service Discovery Protocol component. An adjacent attacker within Bluetooth range can trigger memory corruption without any user interaction, with no public exploit identified at time of analysis. The flaw resides in the native Bluetooth stack and could yield code execution at the privilege level of the Bluetooth process.
Technical ContextAI
The vulnerable code lives in sdp_discovery.cc, part of Android's Bluetooth stack (historically derived from Fluoride/BlueDroid) which handles Service Discovery Protocol (SDP) exchanges over L2CAP. SDP is used by Bluetooth devices to advertise and discover available services and their attributes during pairing or connection. CWE-122 (Heap-Based Buffer Overflow) indicates that attacker-controlled SDP response or attribute data is copied into a heap allocation without adequate bounds validation, corrupting adjacent heap structures. The CPE (cpe:2.3:a:google:android) confirms the AOSP platform is impacted across Android 14 through 16-qpr2 per EUVD records.
RemediationAI
Apply the Android Security Bulletin patch level 2026-06-01 or later as documented at https://source.android.com/docs/security/bulletin/2026/2026-06-01; on Pixel and supported devices this arrives through the monthly OTA, while OEM-built devices must wait for the vendor to integrate the AOSP fix. Patch available per vendor advisory; an exact tagged AOSP fix version is not independently confirmed from the input data. As compensating controls until patched, disable Bluetooth when not actively in use (eliminates the attack surface entirely but disrupts wearables, audio, and car connectivity), keep the device non-discoverable and avoid pairing with untrusted devices in public spaces (reduces but does not eliminate exposure for already-bonded peers), and on managed fleets enforce MDM policies that restrict Bluetooth in high-risk venues.
Same weakness CWE-122 – Heap-based Buffer Overflow
View allSame technique Heap Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33784
GHSA-vxfp-cjm9-f32r