ASB-A-375159480
See a problem?- Import Source
- https://storage.googleapis.com/android-osv/ASB-A-375159480.json
- JSON Data
- https://api.osv.dev/v1/vulns/ASB-A-375159480
- Aliases
-
- A-375159480
- CVE-2025-22404
- Published
- 2025-03-01T00:00:00Z
- Modified
- 2025-03-03T16:12:20.708441Z
- Summary
- [none]
- Details
-
In avctlcbmsgind of avctlcb_act.cc, there is a possible way to execute arbitrary code due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
- References
Affected packages
Android / platform/packages/modules/Bluetooth
Package
Ecosystem specific
{
"vanir_signatures": [
{
"digest": {
"length": 2448.0,
"function_hash": "211682704352143239582969659138051468098"
},
"id": "ASB-A-375159480-243b4fb7",
"source": "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/00555617ddbbc1a19089104c084d14f465c971ce",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "system/stack/sdp/sdp_server.cc",
"function": "process_service_search"
},
"signature_type": "Function"
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"21449444399169415137039231101742242443",
"60515099035128252460509346087551164686",
"254748262588180354977847863067803374759",
"6413842235703169635818426872924502154",
"21449444399169415137039231101742242443",
"60515099035128252460509346087551164686",
"254748262588180354977847863067803374759",
"312620671144370223027810779677125236580"
]
},
"id": "ASB-A-375159480-2e407d2a",
"source": "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/00555617ddbbc1a19089104c084d14f465c971ce",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "system/stack/sdp/sdp_server.cc"
},
"signature_type": "Line"
},
{
"digest": {
"length": 1251.0,
"function_hash": "91424337111038413579272907700077040308"
},
"id": "ASB-A-375159480-3136d9eb",
"source": "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/00555617ddbbc1a19089104c084d14f465c971ce",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "system/stack/rfcomm/rfc_ts_frames.cc",
"function": "rfc_send_buf_uih"
},
"signature_type": "Function"
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"74641538914346852857267348249740164903",
"293395952620485091978881415781896805742",
"266579781076762653552747380862386612904",
"310074054473201161610099806162878752225",
"42250379856589024969395104863387963094",
"1836413212261462881434922511270017843",
"339312077979917122918925805090104541575"
]
},
"id": "ASB-A-375159480-377d6002",
"source": "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/00555617ddbbc1a19089104c084d14f465c971ce",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "system/stack/rfcomm/rfc_utils.cc"
},
"signature_type": "Line"
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"278719654710964618101210848754009275059",
"49885897274829998276364004515720726758",
"213786969092065232671792541435749925905",
"262713393390953510170728638432178916805",
"137174571306154522262397846868544064959",
"28344529003624627703427290036788761406",
"220186030684688752703802123991787488089"
]
},
"id": "ASB-A-375159480-58589795",
"source": "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/00555617ddbbc1a19089104c084d14f465c971ce",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "system/stack/bnep/bnep_main.cc"
},
"signature_type": "Line"
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"71016669386664999699571887293822839632",
"158418248385361645084367451181786161370",
"111150459039969148351689205583351752605",
"296544364640014085120524446797662561862",
"314269659719338931261932183198514959018",
"85671645750158290750940906116145001785",
"278689253255781974557001976675962955782",
"246299187267508569837624111916129823843"
]
},
"id": "ASB-A-375159480-5cced63c",
"source": "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/00555617ddbbc1a19089104c084d14f465c971ce",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "system/stack/bnep/bnep_utils.cc"
},
"signature_type": "Line"
},
{
"digest": {
"length": 1581.0,
"function_hash": "298131935973619507107049381436297318889"
},
"id": "ASB-A-375159480-876dd1fa",
"source": "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/00555617ddbbc1a19089104c084d14f465c971ce",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "system/stack/avct/avct_lcb_act.cc",
"function": "avct_lcb_msg_ind"
},
"signature_type": "Function"
},
{
"digest": {
"length": 2674.0,
"function_hash": "205347561901463235834401272257821673301"
},
"id": "ASB-A-375159480-900cc150",
"source": "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/00555617ddbbc1a19089104c084d14f465c971ce",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "system/stack/sdp/sdp_discovery.cc",
"function": "process_service_attr_rsp"
},
"signature_type": "Function"
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"142600366915217162261739578436175484793",
"255299789667415803693575933947461572783",
"106632307121245935338573268112607750018",
"269772223161259960096375348066468600541",
"269372604943126953834979591812938494537",
"144707340389045496811475387088503090325",
"121496720903623348799813417725012027760",
"317626365540118766860480187588170966381"
]
},
"id": "ASB-A-375159480-9a5c690c",
"source": "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/00555617ddbbc1a19089104c084d14f465c971ce",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "system/stack/avct/avct_lcb_act.cc"
},
"signature_type": "Line"
},
{
"digest": {
"length": 677.0,
"function_hash": "12673076343507638312812824653104382089"
},
"id": "ASB-A-375159480-9eb791f0",
"source": "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/00555617ddbbc1a19089104c084d14f465c971ce",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "system/stack/bnep/bnep_utils.cc",
"function": "bnepu_check_send_packet"
},
"signature_type": "Function"
},
{
"digest": {
"length": 5816.0,
"function_hash": "310920675969930511777141851498808176379"
},
"id": "ASB-A-375159480-a54607ad",
"source": "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/00555617ddbbc1a19089104c084d14f465c971ce",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "system/stack/sdp/sdp_server.cc",
"function": "process_service_attr_req"
},
"signature_type": "Function"
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"149272764073703809669421546090731542086",
"132375438198367819111153161607144242575",
"186177419848916491106430461256472221809",
"173774141378478538531125887402733948298"
]
},
"id": "ASB-A-375159480-b234fd7a",
"source": "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/00555617ddbbc1a19089104c084d14f465c971ce",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "system/stack/sdp/sdp_discovery.cc"
},
"signature_type": "Line"
},
{
"digest": {
"length": 676.0,
"function_hash": "253678056635035088504033523220752328234"
},
"id": "ASB-A-375159480-c0339fb0",
"source": "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/00555617ddbbc1a19089104c084d14f465c971ce",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "system/stack/rfcomm/rfc_utils.cc",
"function": "rfc_check_send_cmd"
},
"signature_type": "Function"
},
{
"digest": {
"length": 602.0,
"function_hash": "75580304012516946551019259548117278475"
},
"id": "ASB-A-375159480-c77c5532",
"source": "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/00555617ddbbc1a19089104c084d14f465c971ce",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "system/stack/hid/hidd_conn.cc",
"function": "hidd_check_config_done"
},
"signature_type": "Function"
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"286492870679602804280964940989204901945",
"67110201630402263891771703272658454172",
"256109504533161345568861341919688005179",
"134700917868465397091104271083321682710",
"150656896105989019014209336970868281653",
"242968755299909932195285964837982845832",
"160892530356149352026281647557871454263",
"220186030684688752703802123991787488089"
]
},
"id": "ASB-A-375159480-f14df4a3",
"source": "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/00555617ddbbc1a19089104c084d14f465c971ce",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "system/stack/rfcomm/rfc_ts_frames.cc"
},
"signature_type": "Line"
},
{
"digest": {
"length": 900.0,
"function_hash": "41505479305311525475484895086379786917"
},
"id": "ASB-A-375159480-fa5c8197",
"source": "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/00555617ddbbc1a19089104c084d14f465c971ce",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "system/stack/bnep/bnep_main.cc",
"function": "bnep_congestion_ind"
},
"signature_type": "Function"
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"128323925956333047702747552450695125822",
"253537584789621024230809936703314682988",
"126526341276163702897146843989459870879",
"109389038437024207784949494393571815066",
"174444684524383211097674842390477420011",
"275284755790749135861706596144142952317",
"123851060640754868022270066786042676363",
"65495981240995975797575921080681322630"
]
},
"id": "ASB-A-375159480-ffa35b9d",
"source": "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/00555617ddbbc1a19089104c084d14f465c971ce",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "system/stack/hid/hidd_conn.cc"
},
"signature_type": "Line"
}
],
"fixes": [
"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/00555617ddbbc1a19089104c084d14f465c971ce"
],
"spl": "2025-03-01",
"severity": "High",
"types": [
"EoP"
]
}