Android Bluetooth, Logic Error Bypass, CVE-2026-0097 (Critical) -DC-Jun2026-147

Listen to this Post

CVE-2026-0097 is a vulnerability in Android’s Bluetooth Low Energy (LE) pairing logic that can be exploited by an attacker within radio range to bypass user interaction and escalate privileges on the target device. This flaw resides in the Bluetooth stack’s state machine during the LE device pairing process. Due to a logic error in multiple locations of the Android Bluetooth framework, a malicious device can manipulate the pairing handshake to circumvent standard security mechanisms.
Under normal circumstances, pairing a new LE device requires user confirmation to prevent unauthorized connections. However, CVE-2026-0097 allows the pairing request to be processed and completed without any notification or consent on the target device. The attack is feasible because of a flawed conditional check in the code that processes incoming LE pairing requests. An attacker using a specially crafted device can send a sequence of Bluetooth packets that exploit this flawed logic, causing the Android system to automatically trust the attacker’s device as a paired peripheral.
Successful exploitation leads to a remote (proximal/adjacent) escalation of privilege. Since the attacker’s device becomes a trusted paired device, it can then interact with the phone as if it were a legitimate accessory, such as a keyboard or headset. This grants the attacker the ability to inject input events, access contacts, and potentially issue commands with the same privileges as the user, all without any execution rights or interaction from the victim. The attack is considered highly critical because it is stealthy, requires no user interaction to initiate, and can be performed from up to 10 meters away.

DailyCVE Form:

Platform: Android
Version: 14,15,16,16-qpr2
Vulnerability : LE Pairing Bypass
Severity: Critical / 8.0
date: 2026-06-01

Prediction: 2026-06-15

What Undercode Say:

Identify vulnerable Bluetooth interface
sudo hciconfig -a
Set up Bluetooth controller (attacker device)
sudo hciconfig hci0 up
Use btlejack or custom tool to sniff and inject pairing packets
This CVE exploits a logic error in LE pairing; a custom exploit can perform:
1. Scan for target using 'hcitool lescan'
2. Initiate LE pairing using a crafted 'll_connection_param_req'

Exploit:

The attack involves sending a crafted LE Long Term Key (LTK) request out of sequence. By sending a `ll_enc_req` packet before the pairing procedure is fully authenticated, the Android device processes the request outside the expected flow. Because the receiving function `smp_command_processor` has a logical flaw in its state verification, it jumps to the “paired” state prematurely, granting the attacker full trusted peripheral access.

Protection:

  • Apply the 2026-06-01 security patch level included in the June Android Security Bulletin.
  • For enterprise devices, enforce SPL requirements and block devices that have not been updated.
  • Disable Bluetooth when not in use as a temporary mitigation.

Impact:

This vulnerability leads to a remote escalation of privilege, allowing an attacker within Bluetooth range to interact with the device as a trusted peripheral without the user’s knowledge or consent, potentially compromising sensitive data and device control.

🎯Let’s Practice Exploiting & Learn Patching For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top