HIGH 8.0

CVE-2026-0095: Android Bluetooth Integer Overflow Privilege Escalation

CVE-2026-0095 is a heap corruption flaw in Android's Bluetooth stack that allows a local attacker with limited privileges to escalate to higher system permissions. The vulnerability stems from an integer overflow in the l2c_fcr_clone_buf function, which can be manipulated to corrupt memory in the Bluetooth daemon process. Because this runs in a privileged context, successful exploitation grants elevated access without requiring additional tricks or user interaction.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.0 HIGH · CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-190
Affected products
6 configuration(s)
Published / Modified
2026-06-01 / 2026-06-17

NVD description (verbatim)

In l2c_fcr_clone_buf of l2c_fcr.cc, there is a possible way to trigger controlled heap corruption within the privileged Bluetooth process due to an integer overflow. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability exists in l2c_fcr.cc within Android's Bluetooth L2CAP Fragmentation and Reassembly (FCR) layer. An integer overflow in the l2c_fcr_clone_buf function allows an attacker to specify a malformed buffer size that wraps around during allocation, resulting in a smaller-than-expected heap allocation. Subsequent writes to this undersized buffer trigger controlled heap corruption. The attack surface is accessible to any local process on the device, and the privileged Bluetooth daemon (running as a system service) is the target. The CVSS 3.1 vector (AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) reflects that access requires local network adjacency or a local account, but once reachable, the attack is straightforward with no complexity factors and delivers high confidentiality, integrity, and availability impact.

Business impact

For Android device manufacturers and enterprises deploying Android in sensitive roles, this vulnerability represents a critical privilege escalation path. An attacker with a compromised or malicious local application, or one obtained through a separate vulnerability, gains direct access to system services and potentially the kernel. This threatens the integrity of security-sensitive operations (payments, authentication, health data), enables lateral movement within enterprise networks, and could facilitate persistent backdoor installation. Devices unable to receive patches remain indefinitely exposed.

Affected systems

The vulnerability affects Google Android. Verify specific version ranges against the official Android security bulletin, as the provided data does not enumerate exact affected releases. Typically, this class of Bluetooth stack flaw affects multiple Android versions unless backported patches are released. Check your device's monthly security patch level and manufacturer advisories to determine exposure.

Exploitability

This vulnerability is not currently listed on CISA's Known Exploited Vulnerabilities (KEV) catalog, meaning active exploitation in the wild has not been officially confirmed as of the latest data refresh. However, the technical characteristics—local reachability, no user interaction required, and integer overflow leading to heap corruption—make it a reasonable exploitation target for motivated adversaries. Proof-of-concept code or active exploits may emerge as awareness spreads. The lack of KEV status should not be interpreted as low risk; it reflects timing of discovery relative to deployment, not inherent difficulty.

Remediation

Apply the latest Android security patch released by Google and your device manufacturer corresponding to the CVE publication date of June 2026. Patches will be distributed through the Android Security & Privacy Year in Review bulletin and vendor OTA channels. For enterprise deployments, prioritize devices in high-trust roles (medical, financial, government). Interim mitigation: restrict installation of untrusted applications and disable Bluetooth when not actively needed.

Patch guidance

Consult the official Google Android Security Bulletin for June 2026 and your device manufacturer's security advisory to identify the specific patch level that resolves CVE-2026-0095. Patches are typically released for supported Android versions (usually the current release and 2–3 prior versions). Enable automatic system updates if available. For enterprise environments, coordinate patching through your MDM solution to ensure uniform deployment. Verify patch application by confirming the security patch date in Settings > About Phone exceeds the June 2026 advisory date.

Detection guidance

Monitor system logs for Bluetooth daemon crashes or unexpected privilege escalation attempts from local processes. On Android devices, check for anomalous Bluetooth service restarts via logcat (filter for 'Bluetooth' or daemon process names). In enterprise environments, endpoint detection and response (EDR) tools may flag suspicious inter-process communication or capability escalation from low-privileged to system context. Network-based detection is limited since the attack is entirely local; focus on behavioral signals and crash patterns. Canary builds or test devices updated with patches can help validate remediation effectiveness before wide rollout.

Why prioritize this

Despite not appearing on the KEV list, this vulnerability warrants high priority due to its CVSS 8.0 (HIGH) rating, complete lack of user interaction requirement, and the privileged nature of the affected Bluetooth daemon. Local privilege escalation in mobile operating systems is a foundational attack for mobile malware and surveillance. The combination of ease-of-reach (local network or compromised app) and high impact (system-level access) makes it a natural stepping stone for sophisticated attackers. Organizations using Android in critical roles should treat this as urgent; consumer users should update as soon as patches are available.

Risk score, explained

The CVSS 3.1 score of 8.0 (HIGH) reflects: Attack Vector = Adjacent (local network or on-device), Attack Complexity = Low (straightforward overflow), Privileges Required = Low (any local user), User Interaction = None, Scope = Unchanged, and all three impact metrics (Confidentiality, Integrity, Availability) = High. The score does not include active exploitation data; it is purely technical severity. The absence of KEV designation does not reduce the intrinsic score, only indicates current threat intelligence. In practice, risk to your organization depends on Android distribution, patch cadence, and whether you operate in threat models where local compromise is plausible.

Frequently asked questions

Do I need to be physically near the device to exploit this?

No. The vulnerability requires local system access (an attacker process on the device or network-adjacent with established local connectivity). This could mean a compromised application, a malicious user account, or an attacker already inside a private network. Physical proximity is not strictly necessary if network access is established.

Why doesn't this appear on CISA's KEV list?

CISA's KEV list tracks vulnerabilities for which active exploitation by threat actors has been verified or reported. CVE-2026-0095 may be too recent, not yet publicly exploited, or targeted by a limited set of adversaries. Inclusion on KEV does not determine severity; it signals confirmed real-world exploitation. Absence does not indicate low risk.

Can I work around this without patching?

Full remediation requires a patch. Temporary risk reduction includes disabling Bluetooth when unused, restricting installation of third-party applications to trusted sources, and isolating the device from untrusted networks. However, these measures do not eliminate the vulnerability if an attacker already has local code execution capability.

Which Android versions are affected?

The provided vulnerability data does not specify exact version ranges. Consult the official Google Android Security Bulletin for June 2026 and your device manufacturer's advisory to confirm which versions receive patches. Support windows typically cover the current release and 2–3 prior major versions.

This analysis is based on publicly available vulnerability data as of June 2026. CVSS scores and technical details are factual representations sourced from official security bulletins. Exploitation status, patch availability, and applicability to specific systems should be verified against official vendor advisories and your organization's vulnerability management processes. No proof-of-concept or weaponized code is provided. This intelligence is for defensive planning only. Consult legal and compliance teams regarding disclosure obligations and incident response procedures in your jurisdiction. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).