Android Bluetooth Stack Use-After-Free Vulnerability in SDP Server Component Allowing Remote Code Execution

A use-after-free vulnerability has been identified in the process_service_search_attr_req function of the SDP server component within the Android Bluetooth stack. This vulnerability could be exploited to execute arbitrary code remotely, without requiring additional execution privileges or user interaction. The issue arises from a log statement that improperly handles a structure that may have been freed by previous calls, creating the potential for a security vulnerability.

Impact

Exploitation of this vulnerability could lead to remote code execution on the affected device.

Reproduction

The vulnerability can be reproduced by building and running the Android Open Source Project (AOSP) with the Fluoride Bluetooth stack, which is included by default. After compiling the AOSP, the Bluetooth SDP server can be started with a specific command that includes the 'INIT_gd_hci=true' flag, which initializes the Bluetooth HCI interface. Once the SDP server is running, the vulnerability can be triggered by sending a service search attribute request that exploits the use-after-free condition.

Remediation

Users can update to the latest version of Android, as security patch levels of 2025-03-05 or later address this vulnerability.