How is CVE-2026-0097 exploited?

Network reachability (info): The attacker must be within adjacent-network range, such as Bluetooth radio proximity, the same LAN segment, or a shared VPN, to reach the vulnerable pairing interface. Authentication (required): A low-privilege account or equivalent Bluetooth client context is required, though no elevated or administrative privileges are needed to launch the exploit. Victim interaction (not-required): No action from the device owner or any other user is required; the pairing bypass is fully attacker-driven. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layout, or other hard-to-control environmental factors.

What is the impact of CVE-2026-0097?

Reads sensitive data stored on the device, including credentials, messages, and application data (Confidentiality: High). Modifies system settings, application data, or device configuration without the owner's consent (Integrity: High). Crashes or disrupts services running on the affected Android device (Availability: High). Achieves privilege escalation on the device, potentially gaining capabilities beyond the initial Bluetooth client context.

Back to search

HIGHCVE-2026-0097Published 2026-06-01Modified 2026-06-02CNA google_android

CVE-2026-0097: In multiple locations, there is a possible way to bypass user interaction when pairing an LE device due to a logic error

In multiple locations, there is a possible way to bypass user interaction when pairing an LE device due to a logic error. This could lead to remote (proximal/adjacent) escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

CVSS v3.1: 8.0
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

This is an authentication bypass vulnerability in Google Android (versions 14 through 16-qpr2) rooted in a logic error in the Bluetooth Low Energy (LE) pairing flow. An attacker on the same local network, LAN, or within Bluetooth radio range can exploit this without any user interaction, using only a low-privilege account. Successful exploitation allows the attacker to gain escalated privileges on the targeted Android device, with full access to confidential data, the ability to modify system state, and potential to disrupt device operation. No fix version has been published upstream; HarborGuard tracks this advisory for patch availability.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds (including Google Android security bulletins) within minutes of publication and matched against all customer container images, including custom-built images that bundle Android platform components or depend on affected libraries.

Available

Triage

HarborGuard is capable of scoring this CVE at its published CVSS v3.1 rating of 8.0 (HIGH) and weighting that score against each environment's compliance policy to determine breach-of-threshold status; routing to the correct team inbox within each customer org follows automatically based on those policy rules.

Available

Patch

Because no upstream fix version has been published, HarborGuard re-evaluates this advisory on every ingest cycle and will make a patched-image rebuild available the moment Google publishes a remediated release. In the interim, customers can use HarborGuard's compensating-control suggestions (see Recommendation) to reduce exposure.

Pending upstream

Exploit Conditions

Network reachabilityDetail
The attacker must be within adjacent-network range, such as Bluetooth radio proximity, the same LAN segment, or a shared VPN, to reach the vulnerable pairing interface.
AuthenticationRequired
A low-privilege account or equivalent Bluetooth client context is required, though no elevated or administrative privileges are needed to launch the exploit.
Victim interactionNot required
No action from the device owner or any other user is required; the pairing bypass is fully attacker-driven.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layout, or other hard-to-control environmental factors.

Blast Radius

Reads sensitive data stored on the device, including credentials, messages, and application data (Confidentiality: High).
Modifies system settings, application data, or device configuration without the owner's consent (Integrity: High).
Crashes or disrupts services running on the affected Android device (Availability: High).
Achieves privilege escalation on the device, potentially gaining capabilities beyond the initial Bluetooth client context.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix exists for CVE-2026-0097 as of this writing, HarborGuard monitors the Google Android security advisory on every ingest cycle and will surface a patched-image rebuild automatically the moment a fix version is published. Customers running container workloads that include Android platform components or adjacent Bluetooth stack libraries should review those images in their HarborGuard dashboard now. As compensating controls, consider applying network-policy isolation to restrict Bluetooth-adjacent service exposure in containerized environments, enabling egress filtering to limit lateral movement if a host is compromised, and using feature-flag gating to disable LE pairing functionality in images where it is not operationally required. For customers with auto-remediation enabled, a rebuild, regression test run, and PR against affected workloads will be initiated automatically once an upstream fix is available, with median time from CVE publication to merged patch PR for high-severity issues around 90 minutes after the fix lands.

See how HarborGuard automates this

Affected packages

Google / Android
16-qpr2 · 16 · 15 · 14

CVSS Vector

CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

source.android.com

Metrics

Get notified