ASB-A-375159480
See a problem?- Import Source
- https://storage.googleapis.com/android-osv/ASB-A-375159480.json
- JSON Data
- https://api.osv.dev/v1/vulns/ASB-A-375159480
- Aliases
-
- A-375159480
- CVE-2025-22404
- Published
- 2025-03-01T00:00:00Z
- Modified
- 2026-04-17T15:55:28.020024Z
- Summary
- [none]
- Details
-
In avctlcbmsgind of avctlcb_act.cc, there is a possible way to execute arbitrary code due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
- References
Affected packages
Android / platform/packages/modules/Bluetooth
Package
Ecosystem specific
{
"severity": "High",
"fixes": [
"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/00555617ddbbc1a19089104c084d14f465c971ce"
],
"spl": "2025-03-01",
"vanir_signatures": [
{
"signature_version": "v1",
"source": "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/00555617ddbbc1a19089104c084d14f465c971ce",
"target": {
"function": "process_service_search",
"file": "system/stack/sdp/sdp_server.cc"
},
"deprecated": false,
"digest": {
"function_hash": "211682704352143239582969659138051468098",
"length": 2448.0
},
"signature_type": "Function",
"id": "ASB-A-375159480-14a28aa1"
},
{
"signature_version": "v1",
"source": "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/00555617ddbbc1a19089104c084d14f465c971ce",
"target": {
"file": "system/stack/rfcomm/rfc_ts_frames.cc"
},
"deprecated": false,
"digest": {
"line_hashes": [
"286492870679602804280964940989204901945",
"67110201630402263891771703272658454172",
"256109504533161345568861341919688005179",
"134700917868465397091104271083321682710",
"150656896105989019014209336970868281653",
"242968755299909932195285964837982845832",
"160892530356149352026281647557871454263",
"220186030684688752703802123991787488089"
],
"threshold": 0.9
},
"signature_type": "Line",
"id": "ASB-A-375159480-25c463de"
},
{
"signature_version": "v1",
"source": "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/00555617ddbbc1a19089104c084d14f465c971ce",
"target": {
"function": "process_service_attr_req",
"file": "system/stack/sdp/sdp_server.cc"
},
"deprecated": false,
"digest": {
"function_hash": "310920675969930511777141851498808176379",
"length": 5816.0
},
"signature_type": "Function",
"id": "ASB-A-375159480-2b94d904"
},
{
"signature_version": "v1",
"source": "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/00555617ddbbc1a19089104c084d14f465c971ce",
"target": {
"function": "process_service_attr_rsp",
"file": "system/stack/sdp/sdp_discovery.cc"
},
"deprecated": false,
"digest": {
"function_hash": "205347561901463235834401272257821673301",
"length": 2674.0
},
"signature_type": "Function",
"id": "ASB-A-375159480-3926e970"
},
{
"signature_version": "v1",
"source": "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/00555617ddbbc1a19089104c084d14f465c971ce",
"target": {
"file": "system/stack/avct/avct_lcb_act.cc"
},
"deprecated": false,
"digest": {
"line_hashes": [
"142600366915217162261739578436175484793",
"255299789667415803693575933947461572783",
"106632307121245935338573268112607750018",
"269772223161259960096375348066468600541",
"269372604943126953834979591812938494537",
"144707340389045496811475387088503090325",
"121496720903623348799813417725012027760",
"317626365540118766860480187588170966381"
],
"threshold": 0.9
},
"signature_type": "Line",
"id": "ASB-A-375159480-505f7b27"
},
{
"signature_version": "v1",
"source": "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/00555617ddbbc1a19089104c084d14f465c971ce",
"target": {
"function": "hidd_check_config_done",
"file": "system/stack/hid/hidd_conn.cc"
},
"deprecated": false,
"digest": {
"function_hash": "75580304012516946551019259548117278475",
"length": 602.0
},
"signature_type": "Function",
"id": "ASB-A-375159480-5ccf29e1"
},
{
"signature_version": "v1",
"source": "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/00555617ddbbc1a19089104c084d14f465c971ce",
"target": {
"function": "bnepu_check_send_packet",
"file": "system/stack/bnep/bnep_utils.cc"
},
"deprecated": false,
"digest": {
"function_hash": "12673076343507638312812824653104382089",
"length": 677.0
},
"signature_type": "Function",
"id": "ASB-A-375159480-65da7ada"
},
{
"signature_version": "v1",
"source": "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/00555617ddbbc1a19089104c084d14f465c971ce",
"target": {
"file": "system/stack/sdp/sdp_discovery.cc"
},
"deprecated": false,
"digest": {
"line_hashes": [
"149272764073703809669421546090731542086",
"132375438198367819111153161607144242575",
"186177419848916491106430461256472221809",
"173774141378478538531125887402733948298"
],
"threshold": 0.9
},
"signature_type": "Line",
"id": "ASB-A-375159480-7a2462c1"
},
{
"signature_version": "v1",
"source": "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/00555617ddbbc1a19089104c084d14f465c971ce",
"target": {
"function": "avct_lcb_msg_ind",
"file": "system/stack/avct/avct_lcb_act.cc"
},
"deprecated": false,
"digest": {
"function_hash": "298131935973619507107049381436297318889",
"length": 1581.0
},
"signature_type": "Function",
"id": "ASB-A-375159480-7c1040b7"
},
{
"signature_version": "v1",
"source": "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/00555617ddbbc1a19089104c084d14f465c971ce",
"target": {
"file": "system/stack/rfcomm/rfc_utils.cc"
},
"deprecated": false,
"digest": {
"line_hashes": [
"74641538914346852857267348249740164903",
"293395952620485091978881415781896805742",
"266579781076762653552747380862386612904",
"310074054473201161610099806162878752225",
"42250379856589024969395104863387963094",
"1836413212261462881434922511270017843",
"339312077979917122918925805090104541575"
],
"threshold": 0.9
},
"signature_type": "Line",
"id": "ASB-A-375159480-7ca19e21"
},
{
"signature_version": "v1",
"source": "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/00555617ddbbc1a19089104c084d14f465c971ce",
"target": {
"file": "system/stack/bnep/bnep_utils.cc"
},
"deprecated": false,
"digest": {
"line_hashes": [
"71016669386664999699571887293822839632",
"158418248385361645084367451181786161370",
"111150459039969148351689205583351752605",
"296544364640014085120524446797662561862",
"314269659719338931261932183198514959018",
"85671645750158290750940906116145001785",
"278689253255781974557001976675962955782",
"246299187267508569837624111916129823843"
],
"threshold": 0.9
},
"signature_type": "Line",
"id": "ASB-A-375159480-7ff5ab72"
},
{
"signature_version": "v1",
"source": "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/00555617ddbbc1a19089104c084d14f465c971ce",
"target": {
"function": "rfc_check_send_cmd",
"file": "system/stack/rfcomm/rfc_utils.cc"
},
"deprecated": false,
"digest": {
"function_hash": "253678056635035088504033523220752328234",
"length": 676.0
},
"signature_type": "Function",
"id": "ASB-A-375159480-99e92726"
},
{
"signature_version": "v1",
"source": "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/00555617ddbbc1a19089104c084d14f465c971ce",
"target": {
"function": "rfc_send_buf_uih",
"file": "system/stack/rfcomm/rfc_ts_frames.cc"
},
"deprecated": false,
"digest": {
"function_hash": "91424337111038413579272907700077040308",
"length": 1251.0
},
"signature_type": "Function",
"id": "ASB-A-375159480-a1f3b7a5"
},
{
"signature_version": "v1",
"source": "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/00555617ddbbc1a19089104c084d14f465c971ce",
"target": {
"file": "system/stack/bnep/bnep_main.cc"
},
"deprecated": false,
"digest": {
"line_hashes": [
"278719654710964618101210848754009275059",
"49885897274829998276364004515720726758",
"213786969092065232671792541435749925905",
"262713393390953510170728638432178916805",
"137174571306154522262397846868544064959",
"28344529003624627703427290036788761406",
"220186030684688752703802123991787488089"
],
"threshold": 0.9
},
"signature_type": "Line",
"id": "ASB-A-375159480-a49c699b"
},
{
"signature_version": "v1",
"source": "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/00555617ddbbc1a19089104c084d14f465c971ce",
"target": {
"file": "system/stack/sdp/sdp_server.cc"
},
"deprecated": false,
"digest": {
"line_hashes": [
"21449444399169415137039231101742242443",
"60515099035128252460509346087551164686",
"254748262588180354977847863067803374759",
"6413842235703169635818426872924502154",
"21449444399169415137039231101742242443",
"60515099035128252460509346087551164686",
"254748262588180354977847863067803374759",
"312620671144370223027810779677125236580"
],
"threshold": 0.9
},
"signature_type": "Line",
"id": "ASB-A-375159480-d9d36144"
},
{
"signature_version": "v1",
"source": "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/00555617ddbbc1a19089104c084d14f465c971ce",
"target": {
"file": "system/stack/hid/hidd_conn.cc"
},
"deprecated": false,
"digest": {
"line_hashes": [
"128323925956333047702747552450695125822",
"253537584789621024230809936703314682988",
"126526341276163702897146843989459870879",
"109389038437024207784949494393571815066",
"174444684524383211097674842390477420011",
"275284755790749135861706596144142952317",
"123851060640754868022270066786042676363",
"65495981240995975797575921080681322630"
],
"threshold": 0.9
},
"signature_type": "Line",
"id": "ASB-A-375159480-ebe093a2"
},
{
"signature_version": "v1",
"source": "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/00555617ddbbc1a19089104c084d14f465c971ce",
"target": {
"function": "bnep_congestion_ind",
"file": "system/stack/bnep/bnep_main.cc"
},
"deprecated": false,
"digest": {
"function_hash": "41505479305311525475484895086379786917",
"length": 900.0
},
"signature_type": "Function",
"id": "ASB-A-375159480-f2fae6b7"
}
],
"types": [
"EoP"
]
}
Android / platform/packages/modules/Bluetooth
Package
Ecosystem specific
{
"severity": "High",
"fixes": [
"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/43cfd234de9ba9557118b0014513269cc1aeefda"
],
"spl": "2025-03-01",
"vanir_signatures": [
{
"signature_version": "v1",
"source": "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/43cfd234de9ba9557118b0014513269cc1aeefda",
"target": {
"function": "rfc_check_send_cmd",
"file": "system/stack/rfcomm/rfc_utils.cc"
},
"deprecated": false,
"digest": {
"function_hash": "321200814064128877042672082823264823858",
"length": 617.0
},
"signature_type": "Function",
"id": "ASB-A-375159480-04d03211"
},
{
"signature_version": "v1",
"source": "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/43cfd234de9ba9557118b0014513269cc1aeefda",
"target": {
"file": "system/stack/sdp/sdp_server.cc"
},
"deprecated": false,
"digest": {
"line_hashes": [
"91418632319498322876677883531524763797",
"9566919150869272321742117416091613434",
"254748262588180354977847863067803374759",
"95705185445191313933742018616909606092",
"91418632319498322876677883531524763797",
"9566919150869272321742117416091613434",
"254748262588180354977847863067803374759",
"192087470961399380878501811772055348289"
],
"threshold": 0.9
},
"signature_type": "Line",
"id": "ASB-A-375159480-2aea7575"
},
{
"signature_version": "v1",
"source": "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/43cfd234de9ba9557118b0014513269cc1aeefda",
"target": {
"function": "rfc_send_buf_uih",
"file": "system/stack/rfcomm/rfc_ts_frames.cc"
},
"deprecated": false,
"digest": {
"function_hash": "97950963671516076722907839761488627701",
"length": 1196.0
},
"signature_type": "Function",
"id": "ASB-A-375159480-47cdd9bf"
},
{
"signature_version": "v1",
"source": "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/43cfd234de9ba9557118b0014513269cc1aeefda",
"target": {
"function": "process_service_attr_req",
"file": "system/stack/sdp/sdp_server.cc"
},
"deprecated": false,
"digest": {
"function_hash": "73697139206039476712285903623227021937",
"length": 5998.0
},
"signature_type": "Function",
"id": "ASB-A-375159480-6d42be5f"
},
{
"signature_version": "v1",
"source": "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/43cfd234de9ba9557118b0014513269cc1aeefda",
"target": {
"file": "system/stack/rfcomm/rfc_utils.cc"
},
"deprecated": false,
"digest": {
"line_hashes": [
"299451248804576891787932252786131493340",
"192083520513499272022928318348902377499",
"79511065831158490707500604246310708319",
"304762324907287739139098819688307468929",
"195168152284684033935047996135140923235",
"1836413212261462881434922511270017843",
"310857444648749042189900469046990731281"
],
"threshold": 0.9
},
"signature_type": "Line",
"id": "ASB-A-375159480-7a411eb4"
},
{
"signature_version": "v1",
"source": "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/43cfd234de9ba9557118b0014513269cc1aeefda",
"target": {
"function": "process_service_attr_rsp",
"file": "system/stack/sdp/sdp_discovery.cc"
},
"deprecated": false,
"digest": {
"function_hash": "135461965972903847797979952307998347766",
"length": 2544.0
},
"signature_type": "Function",
"id": "ASB-A-375159480-7dcb9945"
},
{
"signature_version": "v1",
"source": "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/43cfd234de9ba9557118b0014513269cc1aeefda",
"target": {
"function": "process_service_search",
"file": "system/stack/sdp/sdp_server.cc"
},
"deprecated": false,
"digest": {
"function_hash": "46563877092635324401260374702719991207",
"length": 2294.0
},
"signature_type": "Function",
"id": "ASB-A-375159480-860cf7ea"
},
{
"signature_version": "v1",
"source": "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/43cfd234de9ba9557118b0014513269cc1aeefda",
"target": {
"function": "bnepu_check_send_packet",
"file": "system/stack/bnep/bnep_utils.cc"
},
"deprecated": false,
"digest": {
"function_hash": "285997084590554510617268480406656919495",
"length": 622.0
},
"signature_type": "Function",
"id": "ASB-A-375159480-9ad5621e"
},
{
"signature_version": "v1",
"source": "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/43cfd234de9ba9557118b0014513269cc1aeefda",
"target": {
"function": "avct_lcb_msg_ind",
"file": "system/stack/avct/avct_lcb_act.cc"
},
"deprecated": false,
"digest": {
"function_hash": "67090635879745761987134938786039020001",
"length": 1505.0
},
"signature_type": "Function",
"id": "ASB-A-375159480-9c4f8733"
},
{
"signature_version": "v1",
"source": "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/43cfd234de9ba9557118b0014513269cc1aeefda",
"target": {
"file": "system/stack/sdp/sdp_discovery.cc"
},
"deprecated": false,
"digest": {
"line_hashes": [
"250317447892411460895860938264291182803",
"167288907091122585214705296993377740906",
"320217447774151956406964022062422034648",
"307622193380667158305078197192178528596"
],
"threshold": 0.9
},
"signature_type": "Line",
"id": "ASB-A-375159480-a3166250"
},
{
"signature_version": "v1",
"source": "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/43cfd234de9ba9557118b0014513269cc1aeefda",
"target": {
"file": "system/stack/rfcomm/rfc_ts_frames.cc"
},
"deprecated": false,
"digest": {
"line_hashes": [
"286492870679602804280964940989204901945",
"211254896647837242848190817971513218553",
"207085936720236288918878956511547821502",
"129281804899115056214162404989653148181",
"321023820521853794160621058226240787268",
"160892530356149352026281647557871454263",
"64009599396143373018022061541708527060"
],
"threshold": 0.9
},
"signature_type": "Line",
"id": "ASB-A-375159480-a4832bd8"
},
{
"signature_version": "v1",
"source": "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/43cfd234de9ba9557118b0014513269cc1aeefda",
"target": {
"file": "system/stack/hid/hidd_conn.cc"
},
"deprecated": false,
"digest": {
"line_hashes": [
"308105771725349232725393550909388403893",
"73734462354003377920339872300758312218",
"310280735229051794442434446013687597567",
"148345859783989005339004394524836323283",
"118296014518729984433001555325446521922",
"123851060640754868022270066786042676363",
"65495981240995975797575921080681322630"
],
"threshold": 0.9
},
"signature_type": "Line",
"id": "ASB-A-375159480-ad7c336a"
},
{
"signature_version": "v1",
"source": "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/43cfd234de9ba9557118b0014513269cc1aeefda",
"target": {
"file": "system/stack/bnep/bnep_main.cc"
},
"deprecated": false,
"digest": {
"line_hashes": [
"6307759565825593520286495790524229088",
"93877622375622581870259841540856315783",
"195524062534868238641192477062326844709",
"74636732666957017306843496165923802965",
"28344529003624627703427290036788761406",
"257411923728504995207558690776844541915"
],
"threshold": 0.9
},
"signature_type": "Line",
"id": "ASB-A-375159480-e1180a62"
},
{
"signature_version": "v1",
"source": "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/43cfd234de9ba9557118b0014513269cc1aeefda",
"target": {
"function": "hidd_check_config_done",
"file": "system/stack/hid/hidd_conn.cc"
},
"deprecated": false,
"digest": {
"function_hash": "332861680645930691677172432150399466399",
"length": 547.0
},
"signature_type": "Function",
"id": "ASB-A-375159480-e17bc2e2"
},
{
"signature_version": "v1",
"source": "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/43cfd234de9ba9557118b0014513269cc1aeefda",
"target": {
"file": "system/stack/bnep/bnep_utils.cc"
},
"deprecated": false,
"digest": {
"line_hashes": [
"71016669386664999699571887293822839632",
"231332232310912185559397053349975538853",
"182891246110962140004651294886308711034",
"23651705840465111356864563930574067669",
"227799907781282079513939111739443978695",
"278689253255781974557001976675962955782",
"24999513775547359467003169758767546009"
],
"threshold": 0.9
},
"signature_type": "Line",
"id": "ASB-A-375159480-eb2f47f0"
},
{
"signature_version": "v1",
"source": "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/43cfd234de9ba9557118b0014513269cc1aeefda",
"target": {
"file": "system/stack/avct/avct_lcb_act.cc"
},
"deprecated": false,
"digest": {
"line_hashes": [
"142600366915217162261739578436175484793",
"244890001589744207766774534847751829751",
"75374273305427944043031912133923820740",
"295105858449008142926915246922824497309",
"54354794193376802653588396451067552222",
"258256200696726803040811278432971517861",
"105993498725994113530876733006184989955"
],
"threshold": 0.9
},
"signature_type": "Line",
"id": "ASB-A-375159480-f3ffebe3"
},
{
"signature_version": "v1",
"source": "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/43cfd234de9ba9557118b0014513269cc1aeefda",
"target": {
"function": "bnep_congestion_ind",
"file": "system/stack/bnep/bnep_main.cc"
},
"deprecated": false,
"digest": {
"function_hash": "304391834931304677978747202437246195863",
"length": 841.0
},
"signature_type": "Function",
"id": "ASB-A-375159480-f926d9d6"
}
],
"types": [
"EoP"
]
}