Description
In handleBondStateChanged of AdapterService.java, there is a possible sensitive information disclosure due to a permissions bypass. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.
Published: 2026-06-01
Score: 3.3 Low
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in AdapterService’s handleBondStateChanged allows a local process to read data that should be protected by stricter permissions. An attacker can learn sensitive information without needing higher privileges or user interaction. The flaw represents a classic information exposure issue.

Affected Systems

The issue affects devices running Google Android. No specific OS version was enumerated in the advisory, so any build that includes the vulnerable AdapterService implementation could be impacted.

Risk and Exploitability

Because the flaw is local and does not require user interaction, an attacker with physical or local access to the device can exploit it immediately. The CVSS score is 3.3 and is considered low severity, and the EPSS metric is unavailable, so the exact threat level is uncertain, but the lack of required privileges makes it a high‑risk local vulnerability. The vulnerability is not listed in CISA's KEV catalog, implying no confirmed exploits yet, but the permission bypass suggests a straightforward attack path by invoking the vulnerable method.

Generated by OpenCVE AI on June 2, 2026 at 03:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Android security patch that addresses the AdapterService handleBondStateChanged permission bypass.
  • If a patch is not yet available, disable or restrict Bluetooth functionality to prevent exposure of AdapterService behaviors.
  • Monitor device logs for anomalous calls to AdapterService and investigate potential local exploitation attempts.

Generated by OpenCVE AI on June 2, 2026 at 03:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 02 Jun 2026 03:45:00 +0000

Type Values Removed Values Added
Title Android AdapterService Permission Bypass Enables Local Information Disclosure

Tue, 02 Jun 2026 02:15:00 +0000

Type Values Removed Values Added
Title Local Sensitive Information Disclosure via AdapterService Permission Bypass in Android
Weaknesses CWE-200
CWE-284

Tue, 02 Jun 2026 00:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-269
Metrics cvssV3_1

{'score': 3.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 01 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Title Local Sensitive Information Disclosure via AdapterService Permission Bypass in Android
Weaknesses CWE-200
CWE-284

Mon, 01 Jun 2026 23:00:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google android
Vendors & Products Google
Google android

Mon, 01 Jun 2026 21:45:00 +0000

Type Values Removed Values Added
Description In handleBondStateChanged of AdapterService.java, there is a possible sensitive information disclosure due to a permissions bypass. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.
References

Subscriptions

Google Android
cve-icon MITRE

Status: PUBLISHED

Assigner: google_android

Published:

Updated: 2026-06-01T23:28:49.413Z

Reserved: 2025-10-15T15:39:44.581Z

Link: CVE-2026-0050

cve-icon Vulnrichment

Updated: 2026-06-01T23:28:38.496Z

cve-icon NVD

Status : Received

Published: 2026-06-01T22:16:20.500

Modified: 2026-06-02T00:16:34.417

Link: CVE-2026-0050

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-02T03:30:26Z

Weaknesses