Cyber Resilience

CVE-2025-26438

High

Published: 04 September 2025

Published
04 September 2025
Modified
05 September 2025
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0016 36.2th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-26438 is a high-severity Improper Authentication (CWE-287) vulnerability in Google Android. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 36.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 IA-3 (Device Identification and Authentication) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-26438 is a vulnerability in the `smp_process_secure_connection_oob_data` function within `smp_act.cc` of the Android Bluetooth stack, located in `platform/packages/modules/Bluetooth`. It stems from an incorrect implementation of the Security Manager Protocol (SMP), enabling authentication bypass (CWE-287). The issue affects Android devices running vulnerable versions of the Bluetooth subsystem and was published on 2025-09-04 with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

An attacker with low privileges (PR:L) can exploit this remotely over the network (AV:N) with low complexity and no user interaction required. Successful exploitation allows remote escalation of privilege without needing additional execution privileges, potentially granting high-impact access to confidentiality, integrity, and availability of affected systems.

The Android Security Bulletin for 2025-05-01 details the vulnerability and recommends updating to patched Android versions. A specific fix is available in the commit at https://android.googlesource.com/platform/packages/modules/Bluetooth/+/e6130675c04752947ac4779c178ce70eb959a97f, which security practitioners should verify and apply to mitigate the issue.

EU & UK References

Vulnerability details

In smp_process_secure_connection_oob_data of smp_act.cc, there is a possible way to bypass SMP authentication due to Incorrect implementation of a protocol. This could lead to remote escalation of privilege with no additional execution privileges needed. User interaction is not needed for…

more

exploitation.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
Why these techniques?

Authentication bypass in remote Bluetooth SMP stack directly enables remote service exploitation (T1210) leading to privilege escalation (T1068).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-0111Same product: Google Android
CVE-2024-56192Same product: Google Android
CVE-2025-48602Same product: Google Android
CVE-2026-0124Same product: Google Android
CVE-2025-0075Same product: Google Android
CVE-2024-49738Same product: Google Android
CVE-2024-40651Same product: Google Android
CVE-2025-48574Same product: Google Android
CVE-2026-0023Same product: Google Android
CVE-2025-48647Same product: Google Android

Affected Assets

google
android
13.0, 14.0, 15.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mandates timely identification, reporting, and correction of the SMP implementation flaw in the Android Bluetooth stack to prevent authentication bypass.

prevent

Requires proper identification and authentication of Bluetooth devices prior to connection, directly countering the SMP authentication bypass vulnerability.

preventdetect

Controls authorization, connections, and monitoring of wireless Bluetooth access to mitigate remote exploitation of the authentication flaw.

References