HIGH 7.8

CVE-2026-0045: Android Bluetooth Bonding Bypass Privilege Escalation

A logic error in Android's Bluetooth RFCOMM connection handling allows a local attacker to bypass the bonding requirement for secure connections. An attacker with local access can escalate privileges without needing special permissions or user interaction, potentially gaining full control over sensitive device functions protected by Bluetooth pairing.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.8 HIGH · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-693
Affected products
6 configuration(s)
Published / Modified
2026-06-01 / 2026-06-17

NVD description (verbatim)

In bta_jv_rfcomm_connect of bta_jv_act.cc, there is a possible bypass of bonding for a secure connection due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-0045 is a privilege escalation vulnerability in the bta_jv_rfcomm_connect function within bta_jv_act.cc. The underlying flaw is a logic error that fails to properly enforce bonding verification before establishing secure RFCOMM (serial port) connections. This allows a local process running with limited privileges to communicate with Bluetooth services that should require prior pairing, effectively bypassing a critical security boundary. The vulnerability affects the Bluetooth stack's assumption that connections are restricted to authenticated peers.

Business impact

If exploited, this vulnerability could permit unauthorized local applications to access sensitive Bluetooth-connected peripherals and device features—such as audio controls, health sensors, or critical device settings—without proper authentication. In enterprise environments where device pairing is part of security policy, this bypass undermines trust boundaries and could enable lateral movement or data exfiltration. For consumer devices, it increases the risk of malicious apps gaining unauthorized control over Bluetooth capabilities.

Affected systems

Google Android is affected across multiple versions. The vulnerability exists in the Bluetooth service framework, meaning any Android device using the standard Bluetooth stack is potentially vulnerable. Verify the specific Android version ranges in Google's official security bulletin and your device's update status.

Exploitability

Exploitation requires local access to the device and execution context with at least limited privileges. No special permissions, user interaction, or network access is needed. Once an attacker has local code execution (e.g., a malicious app installed), they can trigger the vulnerability directly. The attack surface is moderate within a single device but significant for rooted devices or those where untrusted apps may be installed.

Remediation

Update to a patched Android version as released by Google. The fix corrects the logic error in the RFCOMM connection handler to properly validate bonding status before allowing secure connections. Verify the exact patched versions against Google's official Android Security & Privacy Year in Review bulletin for June 2026.

Patch guidance

Monitor Google's official security bulletins for Android patches addressing CVE-2026-0045. Updates are typically rolled out via monthly security patches or major OS releases. Enable automatic updates on all Android devices to minimize the window of exposure. Manufacturers may distribute patches on different timelines; check with your device OEM for availability on your specific model.

Detection guidance

Monitor for unusual local Bluetooth connection activity, particularly from processes that lack standard Bluetooth permissions or that bypass the normal pairing flow. Kernel and Bluetooth logs may show unexpected RFCOMM connections being established without corresponding bonding records. Network and endpoint detection tools should flag connections to Bluetooth services from unexpected local callers.

Why prioritize this

This vulnerability merits high priority due to its LOCAL attack vector combined with HIGH CVSS severity (7.8), unrestricted impact across confidentiality, integrity, and availability, and the complete absence of barriers (no user interaction, no special privileges required beyond local access). Any installed app or local process can exploit it. For enterprises, this represents a direct threat to device security posture; for consumer users, it opens the door to unauthorized control of Bluetooth devices.

Risk score, explained

The CVSS 3.1 score of 7.8 (HIGH) reflects: AV:L (local attack only, limiting immediate external reach); AC:L (no complex conditions or race conditions required); PR:L (requires low-privilege local access, common in multi-user or app-sandboxed scenarios); UI:N (no user interaction needed); S:U (impact is scoped to the affected device); C:H/I:H/A:H (all three security dimensions fully compromised—an attacker can read, modify, and disrupt Bluetooth services). The severity is not CRITICAL because it requires prior local access, but it remains HIGH-priority for any organization managing Android fleets.

Frequently asked questions

Can this be exploited remotely?

No. CVE-2026-0045 requires local code execution on the Android device. Remote attackers cannot trigger it directly unless they first gain local access through another vulnerability or social engineering.

Does every Android app automatically have permission to exploit this?

Not by default. The vulnerability resides in the Bluetooth service framework itself, but exploitation typically requires an app to make unexpected RFCOMM connection calls. Standard sandboxing limits direct access, but the flaw removes a critical authentication check, so even restricted apps may be able to abuse Bluetooth connections they should not have.

Will patching this affect legitimate Bluetooth functionality?

No. The patch corrects a logic error to enforce proper bonding checks, which is the intended design. Legitimate Bluetooth connections that are already bonded will continue to work normally.

Should I disable Bluetooth until I patch?

If your environment is high-risk or you cannot patch immediately, disabling Bluetooth eliminates the local attack surface. For most users, keeping Bluetooth off when not in use and applying patches promptly is practical. Evaluate based on your device's role and threat model.

This analysis is provided for informational purposes to help security teams assess and remediate CVE-2026-0045. Verify all patch version numbers, affected Android versions, and timeline information against Google's official Android Security Bulletin. The CVSS score and vulnerability details are based on the CVE record as of the publication date. Actual exploitability and impact may vary based on device configuration, installed software, and environmental controls. Always test patches in a non-production environment before broad deployment. This document does not constitute legal or compliance advice. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).