In callbackthreadevent of comandroidbluetoothbtserviceAdapterService.cpp, there is a possible memory corruption due to a use after free. This could lead to remote (proximal/adjacent) code execution with no additional execution privileges needed. User interaction is not needed for exploitation.
{ "vanir_signatures": [ { "digest": { "length": 601.0, "function_hash": "312362788732837549004324994487428037529" }, "id": "ASB-A-291500341-b825de99", "source": "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/7a5c71c32d382c0e14083f0d093ae4f5420968ff", "deprecated": false, "signature_version": "v1", "target": { "file": "android/app/jni/com_android_bluetooth_btservice_AdapterService.cpp", "function": "callback_thread_event" }, "signature_type": "Function" }, { "digest": { "threshold": 0.9, "line_hashes": [ "8255340654143878724535396870442594620", "36692132903426486391514882143057466613", "284954140669885612926274862545155417821", "10142301673099568437802249085449144394" ] }, "id": "ASB-A-291500341-e9053a67", "source": "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/7a5c71c32d382c0e14083f0d093ae4f5420968ff", "deprecated": false, "signature_version": "v1", "target": { "file": "android/app/jni/com_android_bluetooth_btservice_AdapterService.cpp" }, "signature_type": "Line" } ], "fixes": [ "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/7a5c71c32d382c0e14083f0d093ae4f5420968ff" ], "spl": "2023-12-01", "severity": "Critical", "types": [ "RCE" ] }
{ "vanir_signatures": [ { "digest": { "length": 601.0, "function_hash": "312362788732837549004324994487428037529" }, "id": "ASB-A-291500341-021233a4", "source": "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/7a5c71c32d382c0e14083f0d093ae4f5420968ff", "deprecated": false, "signature_version": "v1", "target": { "file": "android/app/jni/com_android_bluetooth_btservice_AdapterService.cpp", "function": "callback_thread_event" }, "signature_type": "Function" }, { "digest": { "threshold": 0.9, "line_hashes": [ "8255340654143878724535396870442594620", "36692132903426486391514882143057466613", "284954140669885612926274862545155417821", "10142301673099568437802249085449144394" ] }, "id": "ASB-A-291500341-25236a74", "source": "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/7a5c71c32d382c0e14083f0d093ae4f5420968ff", "deprecated": false, "signature_version": "v1", "target": { "file": "android/app/jni/com_android_bluetooth_btservice_AdapterService.cpp" }, "signature_type": "Line" } ], "fixes": [ "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/7a5c71c32d382c0e14083f0d093ae4f5420968ff" ], "spl": "2023-12-01", "severity": "Critical", "types": [ "RCE" ] }
{ "vanir_signatures": [ { "digest": { "length": 601.0, "function_hash": "312362788732837549004324994487428037529" }, "id": "ASB-A-291500341-77e33724", "source": "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/7a5c71c32d382c0e14083f0d093ae4f5420968ff", "deprecated": false, "signature_version": "v1", "target": { "file": "android/app/jni/com_android_bluetooth_btservice_AdapterService.cpp", "function": "callback_thread_event" }, "signature_type": "Function" }, { "digest": { "threshold": 0.9, "line_hashes": [ "8255340654143878724535396870442594620", "36692132903426486391514882143057466613", "284954140669885612926274862545155417821", "10142301673099568437802249085449144394" ] }, "id": "ASB-A-291500341-b45a3704", "source": "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/7a5c71c32d382c0e14083f0d093ae4f5420968ff", "deprecated": false, "signature_version": "v1", "target": { "file": "android/app/jni/com_android_bluetooth_btservice_AdapterService.cpp" }, "signature_type": "Line" } ], "fixes": [ "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/7a5c71c32d382c0e14083f0d093ae4f5420968ff" ], "spl": "2023-12-01", "severity": "Critical", "types": [ "RCE" ] }