ASB-A-274617156

See a problem?
Import Source
https://storage.googleapis.com/android-osv/ASB-A-274617156.json
JSON Data
https://api.osv.dev/v1/vulns/ASB-A-274617156
Aliases
  • A-274617156
  • CVE-2023-35658
Published
2023-09-01T00:00:00Z
Modified
2024-08-07T19:29:04.998412Z
Summary
[Bluetooth][GATT] Use-After-Free in function `gatt_process_prep_write_rsp`.
Details

In gattprocessprepwritersp of gatt_cl.cc, there is a possible privilege escalation due to a use after free. This could lead to remote (proximal/adjacent) code execution with no additional execution privileges needed. User interaction is not needed for exploitation.

References

Affected packages

Android / platform/packages/modules/Bluetooth

Affected ranges

Type
ECOSYSTEM
Events
Introduced
13-next:0
Fixed
13-next:2023-09-01

Affected versions

Other

13-next

Ecosystem specific

{
    "vanir_signatures": [
        {
            "digest": {
                "length": 888.0,
                "function_hash": "327308509473520656259748089261658192523"
            },
            "id": "ASB-A-274617156-c2458c64",
            "source": "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/5691da36ac2660ce6bef5e66ab6bfc44b2a5234c",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "system/stack/gatt/gatt_cl.cc",
                "function": "gatt_process_prep_write_rsp"
            },
            "signature_type": "Function"
        },
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "318440185895434637676380588862911382286",
                    "13514835453571790780077099379225445734",
                    "28648695534725913265346600049273226947",
                    "145670385113418970428262088660637920665",
                    "277598990240879637461296365000270535121",
                    "67207769955544220583744134133328629092",
                    "166843589009004638375159620055223363904",
                    "263351727945242443198419910108234088999"
                ]
            },
            "id": "ASB-A-274617156-e2d14812",
            "source": "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/5691da36ac2660ce6bef5e66ab6bfc44b2a5234c",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "system/stack/gatt/gatt_cl.cc"
            },
            "signature_type": "Line"
        }
    ],
    "fixes": [
        "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/5691da36ac2660ce6bef5e66ab6bfc44b2a5234c",
        "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/2dea9ee94cb226e1d4512605ecd3eb6c10a23469"
    ],
    "spl": "2023-09-01",
    "severity": "Critical",
    "types": [
        "RCE"
    ]
}

Android / platform/packages/modules/Bluetooth

Affected ranges

Type
ECOSYSTEM
Events
Introduced
13:0
Fixed
13:2023-09-01

Affected versions

Other

13

Ecosystem specific

{
    "vanir_signatures": [
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "318440185895434637676380588862911382286",
                    "13514835453571790780077099379225445734",
                    "28648695534725913265346600049273226947",
                    "145670385113418970428262088660637920665",
                    "277598990240879637461296365000270535121",
                    "67207769955544220583744134133328629092",
                    "166843589009004638375159620055223363904",
                    "263351727945242443198419910108234088999"
                ]
            },
            "id": "ASB-A-274617156-13263728",
            "source": "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/cbaa83627b328eee8f2e26188909a5ebfb0388d5",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "system/stack/gatt/gatt_cl.cc"
            },
            "signature_type": "Line"
        },
        {
            "digest": {
                "length": 888.0,
                "function_hash": "327308509473520656259748089261658192523"
            },
            "id": "ASB-A-274617156-c53db921",
            "source": "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/cbaa83627b328eee8f2e26188909a5ebfb0388d5",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "system/stack/gatt/gatt_cl.cc",
                "function": "gatt_process_prep_write_rsp"
            },
            "signature_type": "Function"
        }
    ],
    "fixes": [
        "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/cbaa83627b328eee8f2e26188909a5ebfb0388d5"
    ],
    "spl": "2023-09-01",
    "severity": "Critical",
    "types": [
        "RCE"
    ]
}