HIGH 8.0

CVE-2026-0097: Android Bluetooth Pairing Logic Error Allows Silent Privilege Escalation

A logic error in Android's Bluetooth Low Energy (LE) pairing mechanism allows an attacker within wireless range to pair a device without requiring user approval or interaction. An attacker with local access to a Bluetooth-enabled Android device can escalate privileges by circumventing the normal pairing consent flow, potentially gaining full read, write, and execution access on the target device. This is particularly dangerous because it requires no user action to exploit.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.0 HIGH · CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-693
Affected products
6 configuration(s)
Published / Modified
2026-06-01 / 2026-06-17

NVD description (verbatim)

In multiple locations, there is a possible way to bypass user interaction when pairing an LE device due to a logic error. This could lead to remote (proximal/adjacent) escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-0097 is a privilege escalation vulnerability in Android's LE device pairing logic (CWE-693: Protection Mechanism Failure). The flaw allows bypassing the user interaction requirement during Bluetooth pairing through a logic error, enabling an attacker within proximal range (adjacent network access) to establish an authenticated pairing session with reduced security checks. With Low complexity exploitation and minimal prerequisites (Low privilege required), an attacker can gain high-impact access to confidentiality, integrity, and availability of the affected device. The CVSS 3.1 score of 8.0 (HIGH) reflects the combination of adjacent attack surface, no user interaction needed, and full system compromise potential.

Business impact

Organizations deploying Bluetooth-enabled Android devices face heightened risk of unauthorized access and data exfiltration. An attacker could silently establish trust relationships with corporate devices in physical proximity—such as during meetings, events, or shared workspaces—leading to credential theft, lateral movement within enterprise networks, or installation of persistent backdoors. Retail, healthcare, and field service deployments using wearables or IoT accessories are especially exposed. The lack of user awareness (no interaction required) means the attack is silent and may go undetected until damage occurs.

Affected systems

The vulnerability affects multiple versions and configurations of Google Android. The ground-truth data lists Google Android as the affected vendor and product. Organizations should verify the complete list of affected Android versions and patch status through the Android Security & Privacy Year in Review bulletin and official Google security advisories. Device-level exposure depends on Bluetooth enablement and proximity of potential attackers.

Exploitability

This vulnerability is readily exploitable with minimal prerequisites. An attacker needs only: (1) physical proximity to a target Android device with Bluetooth enabled, (2) low privilege (likely unpaired device status), and (3) the ability to initiate a pairing request. No user approval is required due to the logic error, and no additional execution privileges are needed. The attack can be automated and repeated, making it attractive for targeted device compromise or mass scanning in high-density environments. The vulnerability is not currently listed on CISA's Known Exploited Vulnerabilities (KEV) catalog, but the straightforward nature of the flaw suggests active research and proof-of-concept development are likely underway.

Remediation

Apply Android security patches addressing CVE-2026-0097 as soon as they become available from Google. Patches should be deployed to all Bluetooth-capable Android devices, prioritizing those in high-risk environments (corporate, healthcare, financial). Additionally, organizations should: (1) enforce device enrollment and mobile device management (MDM) policies to enforce Bluetooth pairing restrictions, (2) educate users to keep devices in non-discoverable mode when not actively pairing, and (3) monitor for unusual Bluetooth pairing events in enterprise logs.

Patch guidance

Contact Google and your device manufacturer for official patch availability and timelines. Verify patch deployment against Android Security Bulletin advisories for June 2026 or later. Patches will likely be released as monthly security updates; expedited patches may be issued for high-risk carriers or manufacturers. Enable automatic security updates on affected devices and configure MDM systems to enforce patch installation within 30 days of release. Test patches in a controlled environment before broad enterprise rollout to ensure compatibility with internal Bluetooth accessories and applications.

Detection guidance

Monitor Bluetooth event logs for unexpected pairing attempts or successful pairings from unknown devices, particularly in enterprise environments. EDR and MDM solutions should flag suspicious Bluetooth activity, including rapid pairing attempts, pairings from new MAC addresses, or pairing events outside business hours. On Android devices with logging enabled, examine Bluetooth framework logs (available via adb logcat) for pairing state transitions that bypass user consent prompts. Network-based detection is limited due to Bluetooth's local-only range, but physical security measures (monitoring public access points and meeting spaces) can reduce attacker proximity opportunity.

Why prioritize this

HIGH severity with immediate patch action warranted. The combination of no user interaction required, privilege escalation capability, and silent exploitation makes this a critical risk in any environment where device security and data confidentiality matter. The attack surface is broad (any Bluetooth-enabled Android device), the barrier to entry is low (physical proximity), and the impact is severe (full device compromise). Organizations should treat this as a critical priority, second only to zero-day exploits in active use.

Risk score, explained

CVSS 3.1 score of 8.0 (HIGH) is justified by: (1) Adjacent attack vector (AV:A) reflecting the need for proximal Bluetooth range, (2) Low attack complexity (AC:L) and low privilege requirements (PR:L) indicating straightforward exploitation, (3) No user interaction (UI:N), the most dangerous factor enabling silent compromise, (4) Unchanged scope (S:U) with high impact across confidentiality, integrity, and availability (C:H/I:H/A:H), representing complete device control. The score appropriately reflects a critical, exploitable privilege escalation vulnerability that requires urgent patching.

Frequently asked questions

Can this vulnerability be exploited over long distance?

No. The vulnerability requires adjacent/proximal access, meaning the attacker must be within Bluetooth range of the target device—typically 10–100 meters depending on device class and environment. This limits the attack to targeted scenarios where the attacker is physically near the target.

Will users see any warning or notification if this attack succeeds?

No. The logic error bypasses the user interaction requirement, so there will be no pairing consent dialog, notification, or alert. The attack is completely silent, which is why enterprise detection and preventive MDM controls are critical.

Does keeping Bluetooth off entirely eliminate the risk?

Yes. If Bluetooth is disabled, the device cannot be paired at all. However, organizations must balance security against functionality. Instead, use Bluetooth discoverable mode only when actively pairing, keep devices in non-discoverable mode otherwise, and monitor pairing events through MDM.

Is there a workaround if patches are delayed?

Partial mitigations include: (1) disabling Bluetooth when not in use, (2) enrolling devices in MDM to monitor and restrict pairing, (3) keeping devices in non-discoverable mode, and (4) physically isolating high-risk devices. However, these are not substitutes for patching—apply official security updates as soon as available.

This analysis is based on publicly available information as of the publication date. CVSS scores, affected product lists, and patch availability are subject to change as vendors release advisories and patches. Organizations must verify affected versions and patch status directly through Google's official Android Security & Privacy bulletins and their device manufacturers' advisory channels. SEC.co does not provide guarantee of accuracy for vendor-specific patch details; always consult authoritative vendor documentation. This vulnerability is not currently on CISA's KEV list; threat actors may begin active exploitation at any time. For the latest threat intelligence, threat hunting, and remediation guidance, consult your security team or engage professional incident response services. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).