Skip to main content
CVE Vulnerability Database

CVE-2026-0097: Google Android Privilege Escalation Flaw

CVE-2026-0097 is a privilege escalation vulnerability in Google Android that allows attackers to bypass user interaction during LE device pairing. This article covers the technical details, affected versions, and mitigation.

Published:

CVE-2026-0097 Overview

CVE-2026-0097 affects Google Android versions 14, 15, and 16, including multiple Android 16 QPR2 beta builds. The vulnerability is a logic error in the Bluetooth Low Energy (LE) pairing flow that allows an attacker to bypass the user interaction step normally required to confirm device pairing. A proximal attacker within Bluetooth range can complete pairing without victim consent, leading to escalation of privilege on the target device. No user interaction and no additional execution privileges are required. Google addressed the issue in the Android Security Bulletin June 2026. The flaw is classified under [CWE-693] Protection Mechanism Failure.

Critical Impact

An adjacent attacker can pair an arbitrary Bluetooth LE device with a target Android handset without user confirmation, gaining elevated access to data and capabilities exposed over the Bluetooth stack.

Affected Products

  • Google Android 14.0
  • Google Android 15.0
  • Google Android 16.0 (including QPR2 Beta 1, Beta 2, and Beta 3)

Discovery Timeline

  • 2026-06-01 - CVE-2026-0097 published to NVD alongside the Android Security Bulletin
  • 2026-06-01 - Google releases the June 2026 Android security patch
  • 2026-06-03 - Last updated in NVD database

Technical Details for CVE-2026-0097

Vulnerability Analysis

The vulnerability resides in the Android Bluetooth LE pairing logic. During a standard LE Secure Connections or Legacy Pairing exchange, the device is expected to enforce a user-visible confirmation step, such as Numeric Comparison, Passkey Entry, or Just Works confirmation when authentication requirements demand it. The affected code path contains a logic error in multiple locations of the pairing state machine that allows the confirmation step to be skipped under attacker-controlled conditions.

Because the protection mechanism that gates pairing fails, an attacker within radio range can complete bonding without the victim tapping a prompt. Once bonded, the attacker's device inherits the access rights granted to paired LE peripherals, which can include GATT services exposing sensitive data, HID input injection, or access to profile-level functionality. This results in remote privilege escalation from an unauthenticated adjacent attacker to a paired, trusted peer.

Root Cause

The root cause is a protection mechanism failure [CWE-693] in the pairing decision logic. Conditional checks that should require explicit user acknowledgment evaluate to a state that proceeds with pairing automatically. Because the defect appears in multiple locations, the security bulletin indicates that several code paths within the Bluetooth subsystem share the same flawed assumption about when interaction can be omitted.

Attack Vector

Exploitation requires the attacker to be within Bluetooth LE range of the target device, typically a few meters. The target must have Bluetooth enabled, which is the default state on most modern Android handsets due to background features such as Find My Device and Quick Share. The attacker initiates pairing as an LE peripheral or central, triggers the vulnerable code path, and completes bonding without any tap or confirmation on the victim's screen. From there, the attacker can interact with exposed GATT services or LE profiles using the privileges granted to bonded devices.

No verified public proof-of-concept code is available for this issue. See the Android Security Bulletin June 2026 for vendor technical detail.

Detection Methods for CVE-2026-0097

Indicators of Compromise

  • Unexpected entries in the Android Bluetooth paired devices list, particularly devices the user does not recognize.
  • logcat entries from the bluetooth and BluetoothLeService tags showing successful bonding events without a preceding user confirmation dialog.
  • New bond records in /data/misc/bluedroid/bt_config.conf that lack a matching system UI interaction event in system_server logs.

Detection Strategies

  • Audit fleet devices through MDM or EMM tooling to enumerate currently bonded Bluetooth peers and flag bonds created outside expected enrollment windows.
  • Correlate Bluetooth bonding telemetry with foreground UI activity to identify pairings that occurred while the screen was off or while no pairing dialog was shown.
  • Monitor for repeated LE advertising or connection attempts from unknown MAC addresses near sensitive locations using enterprise wireless intrusion detection.

Monitoring Recommendations

  • Forward Android device logs and MDM Bluetooth inventory events into a centralized analytics platform such as Singularity Data Lake for longitudinal review.
  • Alert on Bluetooth security patch level fields reported by MDM that remain below the 2026-06-01 patch level.
  • Track devices that frequently appear in unmanaged physical environments, since adjacency is required for exploitation.

How to Mitigate CVE-2026-0097

Immediate Actions Required

  • Apply the June 2026 Android security patch level 2026-06-01 or later on all affected Android 14, 15, and 16 devices.
  • Through MDM, enforce minimum security patch level policies and quarantine devices that cannot update.
  • Instruct users to disable Bluetooth in untrusted physical environments such as conferences, transit, and public venues until patched.
  • Audit and remove unknown bonded devices from device Bluetooth settings.

Patch Information

Google published fixes in the Android Security Bulletin June 2026. Devices reporting a security patch level of 2026-06-01 or newer contain the corrected Bluetooth LE pairing logic. OEMs distribute the patch through their own update channels, so confirm vendor availability for non-Pixel hardware.

Workarounds

  • Disable Bluetooth when not in active use, especially on devices that cannot yet receive the June 2026 patch.
  • Use MDM configuration profiles to restrict Bluetooth pairing on managed devices, for example by disallowing new bonds on corporate-owned handsets.
  • Limit exposure by keeping affected devices in Faraday sleeves or powered down in high-risk physical environments.
bash
# Verify the Android security patch level on a connected device
adb shell getprop ro.build.version.security_patch
# Expected output for patched devices: 2026-06-01 or later

# Enumerate current Bluetooth bonded devices for audit
adb shell dumpsys bluetooth_manager | grep -E "BondedDevices|name=|address="

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.