In gattprocessprepwritersp of gatt_cl.cc, there is a possible privilege escalation due to a use after free. This could lead to remote (proximal/adjacent) code execution with no additional execution privileges needed. User interaction is not needed for exploitation.
{ "vanir_signatures": [ { "digest": { "length": 888.0, "function_hash": "327308509473520656259748089261658192523" }, "id": "ASB-A-274617156-c2458c64", "source": "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/5691da36ac2660ce6bef5e66ab6bfc44b2a5234c", "deprecated": false, "signature_version": "v1", "target": { "file": "system/stack/gatt/gatt_cl.cc", "function": "gatt_process_prep_write_rsp" }, "signature_type": "Function" }, { "digest": { "threshold": 0.9, "line_hashes": [ "318440185895434637676380588862911382286", "13514835453571790780077099379225445734", "28648695534725913265346600049273226947", "145670385113418970428262088660637920665", "277598990240879637461296365000270535121", "67207769955544220583744134133328629092", "166843589009004638375159620055223363904", "263351727945242443198419910108234088999" ] }, "id": "ASB-A-274617156-e2d14812", "source": "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/5691da36ac2660ce6bef5e66ab6bfc44b2a5234c", "deprecated": false, "signature_version": "v1", "target": { "file": "system/stack/gatt/gatt_cl.cc" }, "signature_type": "Line" } ], "fixes": [ "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/5691da36ac2660ce6bef5e66ab6bfc44b2a5234c", "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/2dea9ee94cb226e1d4512605ecd3eb6c10a23469" ], "spl": "2023-09-01", "severity": "Critical", "types": [ "RCE" ] }
{ "vanir_signatures": [ { "digest": { "threshold": 0.9, "line_hashes": [ "318440185895434637676380588862911382286", "13514835453571790780077099379225445734", "28648695534725913265346600049273226947", "145670385113418970428262088660637920665", "277598990240879637461296365000270535121", "67207769955544220583744134133328629092", "166843589009004638375159620055223363904", "263351727945242443198419910108234088999" ] }, "id": "ASB-A-274617156-13263728", "source": "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/cbaa83627b328eee8f2e26188909a5ebfb0388d5", "deprecated": false, "signature_version": "v1", "target": { "file": "system/stack/gatt/gatt_cl.cc" }, "signature_type": "Line" }, { "digest": { "length": 888.0, "function_hash": "327308509473520656259748089261658192523" }, "id": "ASB-A-274617156-c53db921", "source": "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/cbaa83627b328eee8f2e26188909a5ebfb0388d5", "deprecated": false, "signature_version": "v1", "target": { "file": "system/stack/gatt/gatt_cl.cc", "function": "gatt_process_prep_write_rsp" }, "signature_type": "Function" } ], "fixes": [ "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/cbaa83627b328eee8f2e26188909a5ebfb0388d5" ], "spl": "2023-09-01", "severity": "Critical", "types": [ "RCE" ] }