Skip to main content
CVE Vulnerability Database

CVE-2026-0045: Android Privilege Escalation Vulnerability

CVE-2026-0045 is a privilege escalation vulnerability in Google Android that allows attackers to bypass bonding for secure connections. This post covers the technical details, affected versions, and mitigation.

Published:

CVE-2026-0045 Overview

CVE-2026-0045 is a logic error in the bta_jv_rfcomm_connect function of bta_jv_act.cc in the Android Bluetooth stack. The flaw allows a local attacker to bypass bonding requirements when establishing a secure RFCOMM (Radio Frequency Communication) connection. Successful exploitation results in local privilege escalation without requiring additional execution privileges or user interaction. The vulnerability is categorized as [CWE-693] Protection Mechanism Failure and affects Google Android versions 14, 15, and 16, including multiple QPR2 beta releases.

Critical Impact

Local applications can bypass Bluetooth bonding checks to obtain elevated privileges on affected Android devices without user interaction.

Affected Products

  • Google Android 14.0
  • Google Android 15.0
  • Google Android 16.0 (including QPR2 Beta 1, 2, and 3)

Discovery Timeline

  • 2026-06-01 - Google publishes the Android Security Bulletin addressing CVE-2026-0045
  • 2026-06-01 - CVE-2026-0045 published to NVD
  • 2026-06-03 - Last updated in NVD database

Technical Details for CVE-2026-0045

Vulnerability Analysis

The vulnerability resides in bta_jv_rfcomm_connect, a function within the Bluetooth Application Layer (BTA) Java Virtual Machine (JV) module that handles outbound RFCOMM connection requests. RFCOMM is a transport protocol providing emulated RS-232 serial ports over the Bluetooth L2CAP layer, used by profiles such as Hands-Free, SPP, and OPP.

A logic error in the connection setup path fails to enforce the bonding state requirement before granting access to a security-sensitive channel. As a result, a local attacker can initiate a connection that should require a previously bonded peer and authenticated link, but proceeds without those preconditions being satisfied.

The flaw is classified as a Protection Mechanism Failure ([CWE-693]) because the security control intended to gate access to the secure channel is reachable through a state path the developer did not anticipate.

Root Cause

The root cause is incorrect conditional logic in bta_jv_act.cc that evaluates the security and bonding requirements for an RFCOMM connection. The check either evaluates the wrong state variable or is short-circuited under conditions an unprivileged caller can produce, allowing a connection flagged as requiring bonding to be established without it.

Attack Vector

Exploitation requires local access with low privileges, such as a malicious application installed on the device. The attacker invokes the affected RFCOMM connection path through exposed Bluetooth APIs, triggering the flawed security check. Because user interaction is not required and the scope is unchanged, the resulting privilege escalation occurs entirely within the local process boundary.

No public proof-of-concept exploit code is available, and the issue is not listed in the CISA Known Exploited Vulnerabilities catalog. See the Android Security Bulletin June 2026 for additional technical context.

Detection Methods for CVE-2026-0045

Indicators of Compromise

  • Unexpected RFCOMM connections originating from third-party applications without prior pairing events in logcat Bluetooth traces.
  • Applications requesting BLUETOOTH_CONNECT permissions and immediately invoking RFCOMM socket APIs against unbonded peers.
  • Anomalous Bluetooth profile activity from non-system UIDs accessing secure RFCOMM channels.

Detection Strategies

  • Audit installed applications for use of BluetoothDevice.createRfcommSocketToServiceRecord or reflection-based access to private Bluetooth APIs.
  • Inspect Android security patch level via ro.build.version.security_patch and confirm devices report a patch level of 2026-06-01 or later.
  • Correlate Bluetooth HAL logs with application process activity to identify connection attempts that bypass expected bonding flows.

Monitoring Recommendations

  • Forward Android device telemetry, including Bluetooth subsystem events and package install records, to a centralized analytics platform for behavioral baselining.
  • Monitor enterprise fleets for devices that remain on pre-June 2026 patch levels and prioritize them for remediation.
  • Track newly installed applications that request Bluetooth runtime permissions on managed devices.

How to Mitigate CVE-2026-0045

Immediate Actions Required

  • Apply the June 2026 Android security patch (patch level 2026-06-01 or later) to all affected devices.
  • Restrict installation of untrusted applications, particularly those requesting Bluetooth permissions, through enterprise mobility management (EMM) policies.
  • Disable Bluetooth on devices that cannot be patched promptly and do not require it operationally.

Patch Information

Google addressed CVE-2026-0045 in the Android Security Bulletin June 2026. Device manufacturers integrate the fix into vendor security patch levels of 2026-06-01 and later. Pixel devices receive the patch directly from Google; other OEMs ship the fix on their own release cadences.

Workarounds

  • Turn off Bluetooth when not actively in use to eliminate the local attack surface.
  • Use EMM controls to block installation of applications that request BLUETOOTH_CONNECT or related runtime permissions on unpatched devices.
  • Enforce a minimum security patch level requirement for device enrollment and conditional access.
bash
# Verify the Android security patch level on a connected device
adb shell getprop ro.build.version.security_patch
# Expected output for patched devices: 2026-06-01 or later

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.