Android Bluetooth Module Elevation of Privilege Vulnerability

A logic error in the Android Bluetooth module can lead to a vulnerability where AVDTP and AVCTP channels might be unencrypted. This issue allows for local elevation of privilege, requiring user execution privileges for exploitation. Notably, no user interaction is needed to exploit this vulnerability.

Impact

Exploitation of this vulnerability could result in unauthorized access to privileged operations or resources, allowing a user to gain elevated rights or permissions that could be misused.

Reproduction

The vulnerability can be reproduced by building and running the Android Open Source Project (AOSP) with the Fluoride Bluetooth stack. This can be done on a Debian-based Linux distribution, such as Debian Bullseye or Ubuntu 20.10 or newer. After setting up the necessary build environment and dependencies, the Bluetooth module can be compiled and the resulting binary executed. The vulnerability takes advantage of the default Bluetooth channels, which can be accessed through the Bluetooth interface.

Remediation

Users can update to the March 2025 security patch level, which addresses this vulnerability. Instructions for checking and updating the security patch level are available on the Android Support website.