CVE-2025-26438
published 2025-09-04CVE-2025-26438: In smp_process_secure_connection_oob_data of smp_act.cc, there is a possible way to bypass SMP authentication due to Incorrect implementation of a protocol…
high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
In smp_process_secure_connection_oob_data of smp_act.cc, there is a possible way to bypass SMP authentication due to Incorrect implementation of a protocol. This could lead to remote escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
Affected
11 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| android | — | — | |
| android | — | — | |
| android | — | — | |
| android | — | — | |
| android | — | — | |
| android | — | — | |
| android | — | — | |
| platform | packages_modules_bluetooth | >= 13:0 < 13:2025-05-01 | 13:2025-05-01 |
| platform | packages_modules_bluetooth | >= 14:0 < 14:2025-05-01 | 14:2025-05-01 |
| platform | packages_modules_bluetooth | >= 15-next:0 < 15-next:2025-05-01 | 15-next:2025-05-01 |
| platform | packages_modules_bluetooth | >= 15:0 < 15:2025-05-01 | 15:2025-05-01 |
GHSA
GHSA-4462-gvjv-pqm2: In smp_process_secure_connection_oob_data of smp_act
ghsa_unreviewed·2025-09-04
CVE-2025-26438 [HIGH] CWE-287 GHSA-4462-gvjv-pqm2: In smp_process_secure_connection_oob_data of smp_act
In smp_process_secure_connection_oob_data of smp_act.cc, there is a possible way to bypass SMP authentication due to Incorrect implementation of a protocol. This could lead to remote escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
OSV
CVE-2025-26438: In smp_process_secure_connection_oob_data of smp_act
osv·2025-05-01
CVE-2025-26438 CVE-2025-26438: In smp_process_secure_connection_oob_data of smp_act
In smp_process_secure_connection_oob_data of smp_act.cc, there is a possible way to bypass SMP authentication due to Incorrect implementation of a protocol. This could lead to remote escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
Android
CVE-2025-26438: Android Security Bulletin 2025-05-01
CVE: CVE-2025-26438
Severity: HIGH
Type: EoP
Affected AOSP versions: 13, 14, 15
References: A-251514171
vendor_android·2025-05-01·CVSS 8.8
CVE-2025-26438 [HIGH] CVE-2025-26438: Android Security Bulletin 2025-05-01
CVE: CVE-2025-26438
Severity: HIGH
Type: EoP
Affected AOSP versions: 13, 14, 15
References: A-251514171
Android Security Bulletin 2025-05-01
CVE: CVE-2025-26438
Severity: HIGH
Type: EoP
Affected AOSP versions: 13, 14, 15
References: A-251514171
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-09-04
Published