ASB-A-274617156
See a problem?- Import Source
- https://storage.googleapis.com/android-osv/ASB-A-274617156.json
- JSON Data
- https://api.osv.dev/v1/vulns/ASB-A-274617156
- Aliases
-
- A-274617156
- CVE-2023-35658
- Published
- 2023-09-01T00:00:00Z
- Modified
- 2026-04-17T15:55:28.020024Z
- Summary
- [none]
- Details
-
In gattprocessprepwritersp of gatt_cl.cc, there is a possible privilege escalation due to a use after free. This could lead to remote (proximal/adjacent) code execution with no additional execution privileges needed. User interaction is not needed for exploitation.
- References
Affected packages
Android / platform/packages/modules/Bluetooth
Package
Ecosystem specific
{
"severity": "Critical",
"fixes": [
"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/5691da36ac2660ce6bef5e66ab6bfc44b2a5234c",
"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/2dea9ee94cb226e1d4512605ecd3eb6c10a23469"
],
"spl": "2023-09-01",
"vanir_signatures": [
{
"signature_version": "v1",
"source": "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/5691da36ac2660ce6bef5e66ab6bfc44b2a5234c",
"target": {
"function": "gatt_process_prep_write_rsp",
"file": "system/stack/gatt/gatt_cl.cc"
},
"deprecated": false,
"digest": {
"function_hash": "327308509473520656259748089261658192523",
"length": 888.0
},
"signature_type": "Function",
"id": "ASB-A-274617156-c2458c64"
},
{
"signature_version": "v1",
"source": "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/5691da36ac2660ce6bef5e66ab6bfc44b2a5234c",
"target": {
"file": "system/stack/gatt/gatt_cl.cc"
},
"deprecated": false,
"digest": {
"line_hashes": [
"318440185895434637676380588862911382286",
"13514835453571790780077099379225445734",
"28648695534725913265346600049273226947",
"145670385113418970428262088660637920665",
"277598990240879637461296365000270535121",
"67207769955544220583744134133328629092",
"166843589009004638375159620055223363904",
"263351727945242443198419910108234088999"
],
"threshold": 0.9
},
"signature_type": "Line",
"id": "ASB-A-274617156-e2d14812"
}
],
"types": [
"RCE"
]
}
Android / platform/packages/modules/Bluetooth
Package
Ecosystem specific
{
"severity": "Critical",
"fixes": [
"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/cbaa83627b328eee8f2e26188909a5ebfb0388d5"
],
"spl": "2023-09-01",
"vanir_signatures": [
{
"signature_version": "v1",
"source": "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/cbaa83627b328eee8f2e26188909a5ebfb0388d5",
"target": {
"file": "system/stack/gatt/gatt_cl.cc"
},
"deprecated": false,
"digest": {
"line_hashes": [
"318440185895434637676380588862911382286",
"13514835453571790780077099379225445734",
"28648695534725913265346600049273226947",
"145670385113418970428262088660637920665",
"277598990240879637461296365000270535121",
"67207769955544220583744134133328629092",
"166843589009004638375159620055223363904",
"263351727945242443198419910108234088999"
],
"threshold": 0.9
},
"signature_type": "Line",
"id": "ASB-A-274617156-13263728"
},
{
"signature_version": "v1",
"source": "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/cbaa83627b328eee8f2e26188909a5ebfb0388d5",
"target": {
"function": "gatt_process_prep_write_rsp",
"file": "system/stack/gatt/gatt_cl.cc"
},
"deprecated": false,
"digest": {
"function_hash": "327308509473520656259748089261658192523",
"length": 888.0
},
"signature_type": "Function",
"id": "ASB-A-274617156-c53db921"
}
],
"types": [
"RCE"
]
}