In smpprocesssecureconnectionoobdata of smpact.cc, there is a possible way to bypass SMP authentication due to Incorrect implementation of a protocol. This could lead to remote escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
{ "vanir_signatures": [ { "digest": { "length": 1478.0, "function_hash": "107254158032908572902498059590686816099" }, "id": "ASB-A-251514171-33c77558", "source": "https://googleplex-android.googlesource.com/platform/packages/modules/Bluetooth/+/0f5a7b3433c93e587bc5491b1647c208cfc04c38", "deprecated": false, "signature_version": "v1", "target": { "file": "system/stack/smp/smp_act.cc", "function": "smp_process_secure_connection_oob_data" }, "signature_type": "Function" }, { "digest": { "threshold": 0.9, "line_hashes": [ "169925125941823537600752468026067539694", "113385753266922047354390093774613920887", "95995477923874679239548703631812912981", "178521878968928782378602093856495850943", "222466249588433036185688638542666214903", "22045282971727450260633747393179431458", "197489951114962900942914413509197911311", "198797200908979355331313755418372457948", "309453622334382306353816301098314124138", "127606651789028192380669981705663883234", "202563545451616409801547758769826172190", "11573155842480106439572378862971032968", "184031576880264426989094457705577290909" ] }, "id": "ASB-A-251514171-50c8b1d7", "source": "https://googleplex-android.googlesource.com/platform/packages/modules/Bluetooth/+/0f5a7b3433c93e587bc5491b1647c208cfc04c38", "deprecated": false, "signature_version": "v1", "target": { "file": "system/stack/smp/smp_act.cc" }, "signature_type": "Line" } ], "fixes": [ "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/0f5a7b3433c93e587bc5491b1647c208cfc04c38" ], "spl": "2025-05-01", "severity": "High", "types": [ "EoP" ] }
{ "vanir_signatures": [ { "digest": { "threshold": 0.9, "line_hashes": [ "134130937920452753674887637254696993259", "231708506710858175866185609260707736235", "147235756275927838069155532100272565165" ] }, "id": "ASB-A-251514171-0eca9eaf", "source": "https://googleplex-android.googlesource.com/platform/packages/modules/Bluetooth/+/faea50382d2b1932abac40b76507d9bcd374635e", "deprecated": false, "signature_version": "v1", "target": { "file": "system/stack/smp/smp_act.cc" }, "signature_type": "Line" }, { "digest": { "length": 1086.0, "function_hash": "198628309788322758344083288511938625723" }, "id": "ASB-A-251514171-7d5f0e05", "source": "https://googleplex-android.googlesource.com/platform/packages/modules/Bluetooth/+/faea50382d2b1932abac40b76507d9bcd374635e", "deprecated": false, "signature_version": "v1", "target": { "file": "system/stack/smp/smp_act.cc", "function": "smp_process_secure_connection_oob_data" }, "signature_type": "Function" } ], "fixes": [ "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/faea50382d2b1932abac40b76507d9bcd374635e" ], "spl": "2025-05-01", "severity": "High", "types": [ "EoP" ] }
{ "vanir_signatures": [ { "digest": { "threshold": 0.9, "line_hashes": [ "114632973770150251003126669934355297115", "26568688585533256737126348896221948843", "131396730146234005761979337859761040741" ] }, "id": "ASB-A-251514171-535821b2", "source": "https://googleplex-android.googlesource.com/platform/packages/modules/Bluetooth/+/eb5e369706a6698769bc37f9afc1f386d822efcf", "deprecated": false, "signature_version": "v1", "target": { "file": "system/stack/smp/smp_act.cc" }, "signature_type": "Line" }, { "digest": { "length": 1132.0, "function_hash": "17155854342471303826645813739715962542" }, "id": "ASB-A-251514171-bbf22fa8", "source": "https://googleplex-android.googlesource.com/platform/packages/modules/Bluetooth/+/eb5e369706a6698769bc37f9afc1f386d822efcf", "deprecated": false, "signature_version": "v1", "target": { "file": "system/stack/smp/smp_act.cc", "function": "smp_process_secure_connection_oob_data" }, "signature_type": "Function" } ], "fixes": [ "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/eb5e369706a6698769bc37f9afc1f386d822efcf" ], "spl": "2025-05-01", "severity": "High", "types": [ "EoP" ] }
{ "vanir_signatures": [ { "digest": { "threshold": 0.9, "line_hashes": [ "114632973770150251003126669934355297115", "26568688585533256737126348896221948843", "131396730146234005761979337859761040741" ] }, "id": "ASB-A-251514171-06bf7a68", "source": "https://googleplex-android.googlesource.com/platform/packages/modules/Bluetooth/+/eb5e369706a6698769bc37f9afc1f386d822efcf", "deprecated": false, "signature_version": "v1", "target": { "file": "system/stack/smp/smp_act.cc" }, "signature_type": "Line" }, { "digest": { "length": 1132.0, "function_hash": "17155854342471303826645813739715962542" }, "id": "ASB-A-251514171-ceb070a5", "source": "https://googleplex-android.googlesource.com/platform/packages/modules/Bluetooth/+/eb5e369706a6698769bc37f9afc1f386d822efcf", "deprecated": false, "signature_version": "v1", "target": { "file": "system/stack/smp/smp_act.cc", "function": "smp_process_secure_connection_oob_data" }, "signature_type": "Function" } ], "fixes": [ "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/eb5e369706a6698769bc37f9afc1f386d822efcf" ], "spl": "2025-05-01", "severity": "High", "types": [ "EoP" ] }