LOW 3.3

CVE-2026-0050: Android Bluetooth Permissions Bypass Information Disclosure

CVE-2026-0050 is a local information disclosure vulnerability in Android's Bluetooth adapter service. A malicious app with basic user-level permissions can bypass security checks in the handleBondStateChanged function to read sensitive Bluetooth-related information without requiring additional privileges or user interaction. The impact is limited to information disclosure; the attacker cannot modify data or crash the system.

Source data · NVD / CISA · public domain

CVSS
3.1 · 3.3 LOW · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Weaknesses (CWE)
CWE-269
Affected products
5 configuration(s)
Published / Modified
2026-06-01 / 2026-06-17

NVD description (verbatim)

In handleBondStateChanged of AdapterService.java, there is a possible sensitive information disclosure due to a permissions bypass. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability exists in AdapterService.java's handleBondStateChanged method, which handles Bluetooth bond state transitions. A permissions bypass (CWE-269) allows a local attacker with standard app privileges to access sensitive information that should be protected by Bluetooth-related permissions. The flaw requires no additional execution rights and exploits a logic gap rather than a memory corruption issue, making it reliably exploitable by any installed third-party application.

Business impact

For most organizations, the direct business risk is low given the CVSS 3.3 score and information-only nature of the disclosure. However, enterprises should consider: (1) sensitive Bluetooth device metadata (names, addresses, pairing status) becoming available to untrusted apps on employee devices; (2) potential data aggregation if combined with other leaked information; and (3) compliance implications if Bluetooth device discovery logs are considered personally identifiable or confidential. Consumer-facing businesses relying on Bluetooth security assumptions should assess exposure more carefully.

Affected systems

This vulnerability affects Google Android devices. The source data confirms five Android entries but does not specify which Android versions are impacted. Organizations should verify affected version ranges in the official Android Security & Privacy Year in Review or Google's Security Bulletin; patches are typically delivered through monthly Android security updates to supported device tiers (Pixel devices receive priority; others depend on manufacturer rollout timelines).

Exploitability

Exploitability is straightforward but low-impact. Any installed app—including sideloaded applications or those from Google Play—can trigger the vulnerability if it holds basic Bluetooth permissions (android.permission.BLUETOOTH). No user interaction, device unlock, or social engineering is required once the app is installed. The barrier to exploitation is installation, not technical sophistication. Practical attacks would likely require the attacker to already have app-install capability on the target device.

Remediation

Apply the Android security patch containing the fix for CVE-2026-0050. Users should enable automatic system updates; enterprise deployments should verify patch status through Android Device Administration or MDM solutions. Until patched, the risk is mitigated by restricting installation of untrusted third-party applications and reviewing which apps have been granted Bluetooth permissions via Settings > Apps & Notifications > Permissions > Bluetooth.

Patch guidance

Monitor Android security bulletins and your device manufacturer's update schedule for availability. Pixel devices typically receive patches first; other OEMs follow within weeks to months depending on their release cadence. If your organization uses Android Enterprise or managed devices, confirm that your MDM solution has deployed the patch before considering the asset fully remediated. Verify patch application by checking the Android Security Patch Level in Settings > About Phone and cross-referencing against the official advisory.

Detection guidance

Detection is challenging because the vulnerability leaves minimal forensic traces. Security teams can implement: (1) app permission audits to identify which apps hold Bluetooth permissions and whether they are expected; (2) log review for any unusual Bluetooth-related API calls in app logs (if available); (3) network-based detection if exfiltrated Bluetooth metadata appears in outbound traffic. Most organizations will rely on patch application and preventive app-whitelisting controls rather than behavioral detection.

Why prioritize this

Despite a LOW CVSS score, this vulnerability merits standard priority attention rather than emergency response. The lack of KEV listing and the information-only impact mean it is not an active, weaponized threat. However, it should be addressed in your normal monthly patch cycle to avoid cumulative risk from unpatched local privilege or permission escalations. Prioritize Pixel and critical-use Android devices first; standard employee devices can follow in the next regular update window.

Risk score, explained

The CVSS 3.1 score of 3.3 (LOW) reflects: (1) local-only attack vector—requires the attacker or malware to already be on the device; (2) low privileges—requires only standard user-level app permissions, not root; (3) no user interaction—however, the app must already be installed; (4) confidentiality impact limited to Bluetooth device metadata, not full system secrets or user data. The lack of integrity or availability impact and the need for prior app installation prevent a higher score.

Frequently asked questions

Can this vulnerability be exploited remotely?

No. CVE-2026-0050 requires local access—the attacker must already have an app installed on the device. Remote attackers would need to first compromise the device or trick a user into installing a malicious app. This is a local-only vulnerability.

Will unpatched Bluetooth devices be exposed to strangers nearby?

No. The vulnerability requires the attacker to have an installed app on the same device. Bluetooth discoverable mode and advertising are separate concerns; this CVE does not enable remote Bluetooth exploitation or exposure to nearby devices.

Should we block Bluetooth on enterprise devices to mitigate this?

Blocking Bluetooth is not necessary. Instead, patch the devices and enforce app permission policies through MDM to prevent untrusted Bluetooth apps. Bluetooth itself remains secure; the issue is a permission-check bypass in one service function.

What if we cannot patch our Android devices immediately?

Mitigate by auditing installed apps and revoking Bluetooth permissions from applications that do not require it. Use MDM controls to restrict third-party app installation. Monitor for suspicious apps. However, patching remains the definitive fix and should be prioritized in your next maintenance window.

This analysis is based on vulnerability metadata available as of June 2026. Affected Android versions and patch availability vary by device manufacturer and carrier. Organizations should verify specific version ranges and patch release dates through official Android security bulletins and their device vendor's advisory before making patch deployment decisions. SEC.co makes no warranty regarding the completeness or accuracy of third-party vendor timelines. This document does not constitute professional security advice; consult your security team for organization-specific risk assessment and remediation planning. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).