Android Bluetooth Fluoride Out-of-Bounds Read Vulnerability in bta_av_aact.cc

A type confusion issue in the Bluetooth Fluoride module can lead to a potential out-of-bounds read. This vulnerability, located in the 'bta_av_config_ind' function of 'bta_av_aact.cc', could result in local information disclosure without requiring additional execution privileges or user interaction for exploitation.

Impact

Exploitation of this vulnerability could lead to unauthorized local information disclosure.

Reproduction

The vulnerability can be reproduced by building and running the AOSP (Android Open Source Project) version that includes the affected Bluetooth module. This can be done on a Debian-based Linux distribution, such as Debian Bullseye or Ubuntu 20.10 or newer, with Clang 11 or 12, Flex 2.6.x, and Bison 3.x.x. After setting up the build environment and compiling the Bluetooth module, the 'btadapterd' service can be run with the 'hci' option to simulate Bluetooth activity, which will trigger the vulnerability during normal operation.

Remediation

Users can update to the latest version of Android, as security patch levels of 2025-05-01 or later address this vulnerability. For devices on Android 10 and later, the Google Play system update can also be used to apply this patch.