Full Disclosure mailing list archives
Samsung Galaxy Buds – Zero-Click HFP/A2DP Takeover via L2CAP Session Preemption (Vendor Response: Working as Intended)
From: 490h3fqwomf via Fulldisclosure <fulldisclosure () seclists org>
Date: Fri, 05 Jun 2026 09:21:12 +0000
Hello Full Disclosure, The following publicly available research describes a Bluetooth attack against Samsung Galaxy Buds that leverages connection arbitration behavior between HFP and A2DP profiles to preempt an active audio session. Title: Zero-Click HFP/A2DP Takeover via L2CAP Session Preemption Exploiting Seamless Earbud Connection Arbitration to Bypass Pairing Trust Boundaries According to the published research, an attacker within Bluetooth range can force a transition of the active audio session to an attacker-controlled device without requiring user interaction or. The writeup argues that this behavior crosses expected trust boundaries associated with paired devices and may allow unauthorized audio routing or session takeover under certain conditions. The author states that the issue was reported to Samsung and that Samsung ultimately classified the observed behavior as "working as intended." Original publication: Gist: https://gist.github.com/mroldguy/98c77d25a3e01d6d966523dac353af86 Original: https://paste.rs/UkBmF.md Archived copy: https://archive.is/6KXIp Summary of the claims made in the publication: - Affects Samsung Galaxy Buds devices. - Relies on Bluetooth Classic profile behavior involving HFP and A2DP connection management. - Described as a zero-click attack requiring no user approval during takeover. - Does not require compromise of the target phone. - Reportedly allows an attacker within radio range to preempt an active session and become the active audio endpoint. - Vendor response is reported as "working as intended." Interested readers should consult the original publication for technical details, proof-of-concept material, disclosure timeline, testing methodology, and limitations. I am not the author of this research. This message is a reference to an already-public disclosure and is being forwarded for awareness and archival purposes. Regards, Anonymous (490h3fqwomf[)](mailto:490h3fqwomf () proton me) _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
Current thread:
- Samsung Galaxy Buds – Zero-Click HFP/A2DP Takeover via L2CAP Session Preemption (Vendor Response: Working as Intended) 490h3fqwomf via Fulldisclosure (Jul 02)
