In SendPacketToPeer of acl_arbiter.cc, there is a possible out of bounds read due to a use after free. This could lead to remote (proximal/adjacent) code execution with no additional execution privileges needed. User interaction is not needed for exploitation.
{ "vanir_signatures": [ { "signature_type": "Line", "deprecated": false, "digest": { "threshold": 0.9, "line_hashes": [ "42513219586601643498666917077259327358", "214661696728787310131164919206585232759", "31548046443679700939958393511330554296", "86263910952918042751199429885923080603" ] }, "signature_version": "v1", "target": { "file": "system/stack/arbiter/acl_arbiter.cc" }, "id": "ASB-A-406785684-6cc39de1", "source": "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/243d7484e59730c522640b616445b2747b3062e5" } ], "types": [ "RCE" ], "severity": "Critical", "spl": "2025-09-01", "fixes": [ "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/243d7484e59730c522640b616445b2747b3062e5" ] }
{ "vanir_signatures": [ { "signature_type": "Line", "deprecated": false, "digest": { "threshold": 0.9, "line_hashes": [ "316396108177116684968999051970746304784", "241047315319657239551928598967010528905", "31548046443679700939958393511330554296", "218294207003004999605826659387357549421" ] }, "signature_version": "v1", "target": { "file": "system/stack/arbiter/acl_arbiter.cc" }, "id": "ASB-A-406785684-ad13fa2e", "source": "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/59d787dcbf5a95d0f00f28970dc98906f3c53832" } ], "types": [ "RCE" ], "severity": "Critical", "spl": "2025-09-01", "fixes": [ "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/59d787dcbf5a95d0f00f28970dc98906f3c53832" ] }
{ "vanir_signatures": [ { "signature_type": "Line", "deprecated": false, "digest": { "threshold": 0.9, "line_hashes": [ "42513219586601643498666917077259327358", "214661696728787310131164919206585232759", "31548046443679700939958393511330554296", "86263910952918042751199429885923080603" ] }, "signature_version": "v1", "target": { "file": "system/stack/arbiter/acl_arbiter.cc" }, "id": "ASB-A-406785684-8c6914b9", "source": "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/d6cb1ec8d11d2a8239c9f7e824f6fbe29edeb2e6" } ], "types": [ "RCE" ], "severity": "Critical", "spl": "2025-09-01", "fixes": [ "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/d6cb1ec8d11d2a8239c9f7e824f6fbe29edeb2e6" ] }