How is CVE-2026-0059 exploited?

Network reachability (info): The attacker must be on an adjacent network segment, such as within Bluetooth radio range or the same local LAN or VPN, to reach the vulnerable SDP service. Authentication (required): A low-privilege account or Bluetooth pairing context is sufficient; no administrative credentials are required. Victim interaction (not-required): No action from the device owner or any other user is needed to trigger the overflow. Attack complexity (info): The exploit is reliable and condition-free; no race conditions or specific memory layout prerequisites are required to succeed.

What is the impact of CVE-2026-0059?

Attacker executes arbitrary code within the Bluetooth stack process on the target device. Full confidentiality impact: the attacker reads memory contents accessible to the affected process, including stored session data or credentials. Full integrity impact: the attacker modifies process memory and persisted data reachable from the Bluetooth stack. Full availability impact: the attacker can crash or destabilize the Bluetooth service or the broader system process it runs within.

Back to search

HIGHCVE-2026-0059Published 2026-06-01Modified 2026-06-02CNA google_android

CVE-2026-0059: In multiple functions of sdp_discovery

In multiple functions of sdp_discovery.cc, there is a possible way to achieve code execution due to a heap buffer overflow. This could lead to remote (proximal/adjacent) code execution with no additional execution privileges needed. User interaction is not needed for exploitation.

CVSS v3.1: 8.0
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

A heap buffer overflow in Android's Bluetooth SDP (Service Discovery Protocol) implementation allows an attacker on the same network segment, such as a local Bluetooth radio range, to execute arbitrary code on the target device. The flaw is reachable over an adjacent network connection and requires only a low-privilege account, with no victim interaction needed. Successful exploitation gives the attacker full read, write, and execution control over the affected process. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Detection

Detection capability for CVE-2026-0059 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream feeds, including custom-built Android-derived container images. Any image carrying an affected version of the Android Bluetooth stack (Android 14, 15, 16, and 16-qpr2) is flagged automatically across customer registries and CI pipelines.

Available

Triage

HarborGuard scores this CVE at 8.0 HIGH using the published CVSS v3.1 vector and weights it against each customer environment's compliance policy to surface urgency appropriately. Findings are routed to the relevant team inbox within each customer organization based on image ownership and policy configuration.

Available

Patch

No fix version has been published by Google for this CVE. HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is released. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will be triggered without manual intervention once a fix version is confirmed.

Pending upstream

Exploit Conditions

Network reachabilityDetail
The attacker must be on an adjacent network segment, such as within Bluetooth radio range or the same local LAN or VPN, to reach the vulnerable SDP service.
AuthenticationRequired
A low-privilege account or Bluetooth pairing context is sufficient; no administrative credentials are required.
Victim interactionNot required
No action from the device owner or any other user is needed to trigger the overflow.
Attack complexityDetail
The exploit is reliable and condition-free; no race conditions or specific memory layout prerequisites are required to succeed.

Blast Radius

Attacker executes arbitrary code within the Bluetooth stack process on the target device.
Full confidentiality impact: the attacker reads memory contents accessible to the affected process, including stored session data or credentials.
Full integrity impact: the attacker modifies process memory and persisted data reachable from the Bluetooth stack.
Full availability impact: the attacker can crash or destabilize the Bluetooth service or the broader system process it runs within.

How HarborGuard Handles This

Available on HarborGuard: because no upstream patch exists for CVE-2026-0059 as of the publication date, HarborGuard monitors the Google Android advisory on every ingest cycle and will trigger a patched-image rebuild the moment a fix version is published. For customers with auto-remediation enabled, that rebuild will be followed immediately by a regression test run and a PR opened against affected workloads, with no manual steps required. In the interim, compensating controls worth considering include network-policy rules that restrict Bluetooth-adjacent container workloads from reaching untrusted peers, egress filtering to limit lateral movement if the Bluetooth stack is compromised, and feature-flag gating to disable SDP discovery where the service is not operationally required. Where compliance policy permits, HarborGuard can surface these compensating-control recommendations as advisory annotations on affected image findings.

See how HarborGuard automates this

Affected packages

Google / Android
16-qpr2 · 16 · 15 · 14

CVSS Vector

CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

source.android.com

Metrics

Get notified