Android Bluetooth Stack Privilege Escalation Vulnerability
Vulnerability
A heap buffer overflow vulnerability has been identified in the Android Bluetooth stack, specifically within the avrc_vendor_msg function of avrc_opt.cc. This vulnerability allows for an out-of-bounds write, which could be exploited by a paired device to escalate privileges without requiring additional execution rights. Notably, user interaction is not necessary for exploitation.
Impact
Exploitation of this vulnerability could lead to unauthorized privilege escalation on the affected device.
Reproduction
The vulnerability can be reproduced by building and running the Android Open Source Project (AOSP) with the Fluoride Bluetooth stack. This can be done on a Debian-based distribution or Ubuntu 20.10 or newer. After setting up the build environment and compiling the Bluetooth module, the btadapterd service can be run on the Bluetooth interface, where the vulnerability can be triggered by a paired device.
Remediation
Users can update their devices to the September 2025 security patch level, which addresses this vulnerability.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.