CVE-2025-26438
Published: 04 September 2025
Summary
CVE-2025-26438 is a high-severity Improper Authentication (CWE-287) vulnerability in Google Android. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 36.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 IA-3 (Device Identification and Authentication) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mandates timely identification, reporting, and correction of the SMP implementation flaw in the Android Bluetooth stack to prevent authentication bypass.
Requires proper identification and authentication of Bluetooth devices prior to connection, directly countering the SMP authentication bypass vulnerability.
Controls authorization, connections, and monitoring of wireless Bluetooth access to mitigate remote exploitation of the authentication flaw.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Authentication bypass in remote Bluetooth SMP stack directly enables remote service exploitation (T1210) leading to privilege escalation (T1068).
NVD Description
In smp_process_secure_connection_oob_data of smp_act.cc, there is a possible way to bypass SMP authentication due to Incorrect implementation of a protocol. This could lead to remote escalation of privilege with no additional execution privileges needed. User interaction is not needed for…
more
exploitation.
Deeper analysisAI
CVE-2025-26438 is a vulnerability in the `smp_process_secure_connection_oob_data` function within `smp_act.cc` of the Android Bluetooth stack, located in `platform/packages/modules/Bluetooth`. It stems from an incorrect implementation of the Security Manager Protocol (SMP), enabling authentication bypass (CWE-287). The issue affects Android devices running vulnerable versions of the Bluetooth subsystem and was published on 2025-09-04 with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
An attacker with low privileges (PR:L) can exploit this remotely over the network (AV:N) with low complexity and no user interaction required. Successful exploitation allows remote escalation of privilege without needing additional execution privileges, potentially granting high-impact access to confidentiality, integrity, and availability of affected systems.
The Android Security Bulletin for 2025-05-01 details the vulnerability and recommends updating to patched Android versions. A specific fix is available in the commit at https://android.googlesource.com/platform/packages/modules/Bluetooth/+/e6130675c04752947ac4779c178ce70eb959a97f, which security practitioners should verify and apply to mitigate the issue.
Details
- CWE(s)