PUB-A-240301753

See a problem?
Import Source
https://storage.googleapis.com/android-osv/PUB-A-240301753.json
JSON Data
https://api.osv.dev/v1/vulns/PUB-A-240301753
Aliases
  • A-240301753
  • CVE-2022-20547
Published
2022-12-01T00:00:00Z
Modified
2025-11-14T16:44:49.782125Z
Summary
[none]
Details

In multiple functions of AdapterService.java, there is a possible way to manipulate Bluetooth state due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

References

Affected packages

Android / platform/packages/modules/Bluetooth

Package

Name
platform/packages/modules/Bluetooth

Affected ranges

Type
ECOSYSTEM
Events
Introduced
13:0
Fixed
13:2022-12-01

Affected versions

Other

13

Ecosystem specific 

{
    "fixes": [
        "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/040c9bafc992557d46d52cc01a9a59f9632c9ef5"
    ],
    "severity": "Moderate",
    "vanir_signatures": [
        {
            "source": "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/040c9bafc992557d46d52cc01a9a59f9632c9ef5",
            "signature_version": "v1",
            "id": "PUB-A-240301753-153c1481",
            "signature_type": "Function",
            "digest": {
                "function_hash": "50757252861193026122316248663512856500",
                "length": 95.0
            },
            "deprecated": false,
            "target": {
                "file": "android/app/src/com/android/bluetooth/btservice/AdapterService.java",
                "function": "retrievePendingSocketForServiceRecord"
            }
        },
        {
            "source": "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/040c9bafc992557d46d52cc01a9a59f9632c9ef5",
            "signature_version": "v1",
            "id": "PUB-A-240301753-584628d6",
            "signature_type": "Line",
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "336543285417397496473978538558445781741",
                    "98005519639658717479776377185710239036",
                    "306482618865635812147597580207714038625",
                    "164485076783088386561319458838342329898",
                    "37733333598715831002936735688460934045",
                    "46825822942818583563931426433874497615",
                    "34589309195499265683709687358886568426",
                    "12437621527051904480160275129763137616",
                    "19657046246639268481739371678408352158",
                    "57245045089298679319422214245157068121",
                    "338627328938833717709040215904893985703",
                    "205813472867119078439271939689028261823",
                    "182465072864460627452683452540910000013",
                    "132036065931379991755997953614229328969",
                    "253801012084625161590130167942819702864",
                    "276410169993454176363113632123180069087",
                    "103644153285883704615652652738845158337",
                    "202092097301454457647408491278318074530",
                    "240156939685891499122112131206970542621",
                    "150864257758850816607103866732968920206",
                    "314531570049188915489036879764587731981",
                    "89401730193196185691305309302792562436",
                    "251047739839568523211005578929220371911",
                    "272768074970648758069737040187655878675",
                    "222235283829659810449767859712296051497",
                    "318712999210023486609886321669960415201",
                    "155551443807599979360032300247268597483"
                ]
            },
            "deprecated": false,
            "target": {
                "file": "android/app/src/com/android/bluetooth/btservice/AdapterService.java"
            }
        },
        {
            "source": "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/040c9bafc992557d46d52cc01a9a59f9632c9ef5",
            "signature_version": "v1",
            "id": "PUB-A-240301753-9ef3ca11",
            "signature_type": "Function",
            "digest": {
                "function_hash": "50757252861193026122316248663512856500",
                "length": 95.0
            },
            "deprecated": false,
            "target": {
                "file": "android/app/src/com/android/bluetooth/btservice/AdapterService.java",
                "function": "stopRfcommListener"
            }
        },
        {
            "source": "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/040c9bafc992557d46d52cc01a9a59f9632c9ef5",
            "signature_version": "v1",
            "id": "PUB-A-240301753-ac71ffce",
            "signature_type": "Function",
            "digest": {
                "function_hash": "266318086400615843683495170038248093068",
                "length": 139.0
            },
            "deprecated": false,
            "target": {
                "file": "android/app/src/com/android/bluetooth/btservice/AdapterService.java",
                "function": "startRfcommListener"
            }
        },
        {
            "source": "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/040c9bafc992557d46d52cc01a9a59f9632c9ef5",
            "signature_version": "v1",
            "id": "PUB-A-240301753-d20da9e3",
            "signature_type": "Function",
            "digest": {
                "function_hash": "172763928232241021055097874900121927040",
                "length": 174.0
            },
            "deprecated": false,
            "target": {
                "file": "android/app/src/com/android/bluetooth/btservice/AdapterService.java",
                "function": "allowLowLatencyAudio"
            }
        }
    ],
    "types": [
        "EoP"
    ],
    "spl": "2022-12-01"
}