Android Bluetooth Stack Privilege Escalation Vulnerability
Vulnerability
A use-after-free vulnerability has been identified in the Bluetooth stack of Android, specifically within the 'btif_hh_hsdata_rpt_copy_cb' function in 'bta_hh.cc'. This vulnerability can lead to memory corruption, allowing for local privilege escalation over Bluetooth. Notably, no additional execution privileges are required for exploitation, and user interaction is not needed.
Impact
Exploitation of this vulnerability could result in unauthorized privileges being granted, potentially allowing a user to perform actions or access resources that are normally restricted.
Reproduction
The vulnerability can be reproduced by building the Android Open Source Project (AOSP) with the default Fluoride Bluetooth stack. After compiling and running the Bluetooth daemon, the vulnerability can be triggered by sending a Human Interface Device (HID) report that exploits the use-after-free condition, leading to memory corruption and privilege escalation.
Remediation
Users can update to the March 2025 security patch level to address this vulnerability.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.