In avrcmsgcback of avrc_api.cc, there is a possible out of bounds write due to a heap buffer overflow. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.
{ "vanir_signatures": [ { "digest": { "length": 6340.0, "function_hash": "141229084215930000517804498151885108027" }, "id": "ASB-A-177611958-7705428f", "source": "https://android.googlesource.com/platform/system/bt/+/dc07e927b1272be92095a47634dce0ba3b44b4fd", "deprecated": false, "signature_version": "v1", "target": { "file": "stack/avrc/avrc_api.cc", "function": "avrc_msg_cback" }, "signature_type": "Function" }, { "digest": { "threshold": 0.9, "line_hashes": [ "150526927012349828544716931783640751422", "149995605094085377647301397251620837487", "111438774854508784820030139337456414102", "102394801961573258940149572632047047712", "136400734491565729666473351706100250063" ] }, "id": "ASB-A-177611958-b535a274", "source": "https://android.googlesource.com/platform/system/bt/+/dc07e927b1272be92095a47634dce0ba3b44b4fd", "deprecated": false, "signature_version": "v1", "target": { "file": "stack/avrc/avrc_api.cc" }, "signature_type": "Line" } ], "fixes": [ "https://android.googlesource.com/platform/system/bt/+/dc07e927b1272be92095a47634dce0ba3b44b4fd" ], "spl": "2021-05-01", "severity": "Critical", "types": [ "RCE" ] }
{ "vanir_signatures": [ { "digest": { "threshold": 0.9, "line_hashes": [ "150526927012349828544716931783640751422", "149995605094085377647301397251620837487", "111438774854508784820030139337456414102", "102394801961573258940149572632047047712", "136400734491565729666473351706100250063" ] }, "id": "ASB-A-177611958-575153cc", "source": "https://android.googlesource.com/platform/system/bt/+/dc07e927b1272be92095a47634dce0ba3b44b4fd", "deprecated": false, "signature_version": "v1", "target": { "file": "stack/avrc/avrc_api.cc" }, "signature_type": "Line" }, { "digest": { "length": 6340.0, "function_hash": "141229084215930000517804498151885108027" }, "id": "ASB-A-177611958-e8eb4abd", "source": "https://android.googlesource.com/platform/system/bt/+/dc07e927b1272be92095a47634dce0ba3b44b4fd", "deprecated": false, "signature_version": "v1", "target": { "file": "stack/avrc/avrc_api.cc", "function": "avrc_msg_cback" }, "signature_type": "Function" } ], "fixes": [ "https://android.googlesource.com/platform/system/bt/+/dc07e927b1272be92095a47634dce0ba3b44b4fd" ], "spl": "2021-05-01", "severity": "Critical", "types": [ "RCE" ] }
{ "vanir_signatures": [ { "digest": { "threshold": 0.9, "line_hashes": [ "150526927012349828544716931783640751422", "149995605094085377647301397251620837487", "111438774854508784820030139337456414102", "102394801961573258940149572632047047712", "136400734491565729666473351706100250063" ] }, "id": "ASB-A-177611958-2b73d814", "source": "https://android.googlesource.com/platform/system/bt/+/dc07e927b1272be92095a47634dce0ba3b44b4fd", "deprecated": false, "signature_version": "v1", "target": { "file": "stack/avrc/avrc_api.cc" }, "signature_type": "Line" }, { "digest": { "length": 6340.0, "function_hash": "141229084215930000517804498151885108027" }, "id": "ASB-A-177611958-fd1c531d", "source": "https://android.googlesource.com/platform/system/bt/+/dc07e927b1272be92095a47634dce0ba3b44b4fd", "deprecated": false, "signature_version": "v1", "target": { "file": "stack/avrc/avrc_api.cc", "function": "avrc_msg_cback" }, "signature_type": "Function" } ], "fixes": [ "https://android.googlesource.com/platform/system/bt/+/dc07e927b1272be92095a47634dce0ba3b44b4fd" ], "spl": "2021-05-01", "severity": "Critical", "types": [ "RCE" ] }
{ "vanir_signatures": [ { "digest": { "threshold": 0.9, "line_hashes": [ "150526927012349828544716931783640751422", "149995605094085377647301397251620837487", "111438774854508784820030139337456414102", "102394801961573258940149572632047047712", "136400734491565729666473351706100250063" ] }, "id": "ASB-A-177611958-4801e2f8", "source": "https://android.googlesource.com/platform/system/bt/+/dc07e927b1272be92095a47634dce0ba3b44b4fd", "deprecated": false, "signature_version": "v1", "target": { "file": "stack/avrc/avrc_api.cc" }, "signature_type": "Line" }, { "digest": { "length": 6340.0, "function_hash": "141229084215930000517804498151885108027" }, "id": "ASB-A-177611958-f68ff08e", "source": "https://android.googlesource.com/platform/system/bt/+/dc07e927b1272be92095a47634dce0ba3b44b4fd", "deprecated": false, "signature_version": "v1", "target": { "file": "stack/avrc/avrc_api.cc", "function": "avrc_msg_cback" }, "signature_type": "Function" } ], "fixes": [ "https://android.googlesource.com/platform/system/bt/+/dc07e927b1272be92095a47634dce0ba3b44b4fd" ], "spl": "2021-05-01", "severity": "Critical", "types": [ "RCE" ] }