{"id":"ASB-A-484861632", "published":"2026-06-01T00:00:00Z", "modified":"2026-06-25T15:18:14.132838247Z", "aliases":["CVE-2026-0095", "A-484861632"], "details":"In l2c_fcr_clone_buf of l2c_fcr.cc, there is a possible way to trigger controlled heap corruption within the privileged Bluetooth process due to an integer overflow. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.", "affected":[{"package":{"name":"platform/packages/modules/Bluetooth", "ecosystem":"Android"}, "ranges":[{"type":"ECOSYSTEM", "events":[{"introduced":"17-next:0"}, {"fixed":"17-next:2026-06-01"}]}], "versions":["17-next"], "ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/packages/modules/Bluetooth/+/a06794634568ac246276971376af4adff8e8d893"], "severity":"High", "spl":"2026-06-01", "types":["EoP"], "vanir_signatures":[{"deprecated":false, "digest":{"line_hashes":["83840755078324362925509410316242776633", "267885723366867762225374160559742378314", "179638801758111450015026000152289852671", "163520179063456601969417100730868051973"], "threshold":0.9}, "id":"ASB-A-484861632-c173f0e8", "signature_type":"Line", "signature_version":"v1", "source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/a06794634568ac246276971376af4adff8e8d893", "target":{"file":"system/stack/l2cap/l2c_fcr.cc"}}]}}, {"package":{"name":"platform/packages/modules/Bluetooth", "ecosystem":"Android"}, "ranges":[{"type":"ECOSYSTEM", "events":[{"introduced":"15:0"}, {"fixed":"15:2026-06-01"}]}], "versions":["15"], "ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/packages/modules/Bluetooth/+/44bb1230dae667474f6580c35319044b87dc4cb5"], "severity":"High", "spl":"2026-06-01", "types":["EoP"], "vanir_signatures":[{"deprecated":false, "digest":{"line_hashes":["275055668648064963303506679904391661414", "160000270240500899071217659641120495542", "179638801758111450015026000152289852671", "163520179063456601969417100730868051973"], "threshold":0.9}, "id":"ASB-A-484861632-05730e42", "signature_type":"Line", "signature_version":"v1", "source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/44bb1230dae667474f6580c35319044b87dc4cb5", "target":{"file":"system/stack/l2cap/l2c_fcr.cc"}}]}}, {"package":{"name":"platform/packages/modules/Bluetooth", "ecosystem":"Android"}, "ranges":[{"type":"ECOSYSTEM", "events":[{"introduced":"16:0"}, {"fixed":"16:2026-06-01"}]}], "versions":["16"], "ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/packages/modules/Bluetooth/+/593d5418481c50daeb35192e88b2fe9ef33ae127"], "severity":"High", "spl":"2026-06-01", "types":["EoP"], "vanir_signatures":[{"deprecated":false, "digest":{"line_hashes":["83840755078324362925509410316242776633", "267885723366867762225374160559742378314", "179638801758111450015026000152289852671", "163520179063456601969417100730868051973"], "threshold":0.9}, "id":"ASB-A-484861632-ff534438", "signature_type":"Line", "signature_version":"v1", "source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/593d5418481c50daeb35192e88b2fe9ef33ae127", "target":{"file":"system/stack/l2cap/l2c_fcr.cc"}}]}}, {"package":{"name":"platform/packages/modules/Bluetooth", "ecosystem":"Android"}, "ranges":[{"type":"ECOSYSTEM", "events":[{"introduced":"16-qpr2:0"}, {"fixed":"16-qpr2:2026-06-01"}]}], "versions":["16-qpr2"], "ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/packages/modules/Bluetooth/+/ff35cee49cc6e391344565667ec1e1e18bdbc523"], "severity":"High", "spl":"2026-06-01", "types":["EoP"], "vanir_signatures":[{"deprecated":false, "digest":{"line_hashes":["83840755078324362925509410316242776633", "267885723366867762225374160559742378314", "179638801758111450015026000152289852671", "163520179063456601969417100730868051973"], "threshold":0.9}, "id":"ASB-A-484861632-0cbb9d81", "signature_type":"Line", "signature_version":"v1", "source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/ff35cee49cc6e391344565667ec1e1e18bdbc523", "target":{"file":"system/stack/l2cap/l2c_fcr.cc"}}]}}, {"package":{"name":"platform/packages/modules/Bluetooth", "ecosystem":"Android"}, "ranges":[{"type":"ECOSYSTEM", "events":[{"introduced":"14:0"}, {"fixed":"14:2026-06-01"}]}], "versions":["14"], "ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/packages/modules/Bluetooth/+/554513a005973790810445b444288c736d8a73e1"], "severity":"High", "spl":"2026-06-01", "types":["EoP"], "vanir_signatures":[{"deprecated":false, "digest":{"line_hashes":["70662555543140505078823076871343166825", "124877498965059226071334053205526675227", "273201385823047102600021156475830385649", "163520179063456601969417100730868051973"], "threshold":0.9}, "id":"ASB-A-484861632-ab6103f6", "signature_type":"Line", "signature_version":"v1", "source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/554513a005973790810445b444288c736d8a73e1", "target":{"file":"system/stack/l2cap/l2c_fcr.cc"}}]}}], "references":[{"type":"ADVISORY", "url":"https://source.android.com/security/bulletin/2026-06-01"}, {"type":"FIX", "url":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/abc8b696b615415de6608afb726b1da4214fb6af"}]}