From: 490h3fqwomf via Fulldisclosure <fulldisclosure () seclists org>
Date: Fri, 05 Jun 2026 09:21:12 +0000
Hello Full Disclosure,
The following publicly available research describes a Bluetooth attack against Samsung Galaxy Buds that leverages
connection arbitration behavior between HFP and A2DP profiles to preempt an active audio session.
Title:
Zero-Click HFP/A2DP Takeover via L2CAP Session Preemption
Exploiting Seamless Earbud Connection Arbitration to Bypass Pairing Trust Boundaries
According to the published research, an attacker within Bluetooth range can force a transition of the active audio
session to an attacker-controlled device without requiring user interaction or. The writeup argues that this behavior
crosses expected trust boundaries associated with paired devices and may allow unauthorized audio routing or session
takeover under certain conditions.
The author states that the issue was reported to Samsung and that Samsung ultimately classified the observed behavior
as "working as intended."
Original publication:
Gist:
https://gist.github.com/mroldguy/98c77d25a3e01d6d966523dac353af86
Original:
https://paste.rs/UkBmF.md
Archived copy:
https://archive.is/6KXIp
Summary of the claims made in the publication:
- Affects Samsung Galaxy Buds devices.
- Relies on Bluetooth Classic profile behavior involving HFP and A2DP connection management.
- Described as a zero-click attack requiring no user approval during takeover.
- Does not require compromise of the target phone.
- Reportedly allows an attacker within radio range to preempt an active session and become the active audio endpoint.
- Vendor response is reported as "working as intended."
Interested readers should consult the original publication for technical details, proof-of-concept material, disclosure
timeline, testing methodology, and limitations.
I am not the author of this research. This message is a reference to an already-public disclosure and is being
forwarded for awareness and archival purposes.
Regards,
Anonymous (490h3fqwomf[)](mailto:490h3fqwomf () proton me)
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/
Current thread:
- Samsung Galaxy Buds – Zero-Click HFP/A2DP Takeover via L2CAP Session Preemption (Vendor Response: Working as Intended) 490h3fqwomf via Fulldisclosure (Jul 02)