Android Bluetooth Module Elevation of Privilege Vulnerability

A use-after-free vulnerability has been identified in the Android Bluetooth module, specifically within the 'avct_lcb_msg_ind' function of 'avct_lcb_act.cc'. This vulnerability allows for the execution of arbitrary code, potentially leading to local elevation of privilege. The issue arises from memory-unsafe logging practices that could be exploited, and it does not require any additional execution privileges or user interaction for exploitation.

Impact

Exploitation of this vulnerability could result in unauthorized access to elevated privileges, allowing a user to perform actions or access resources that are normally restricted.

Reproduction

The vulnerability can be reproduced by building and running the Android Open Source Project (AOSP) with the 'Fluoride' Bluetooth stack. This can be done on a Debian-based distribution or Ubuntu 20.10 or newer, after installing the necessary build dependencies and setting up the build environment. Once the AOSP is built, the Bluetooth module can be tested with a proof-of-concept that exploits the vulnerability.

Remediation

Users can update to the latest version of Android, as security patch levels of 2025-03-05 or later address this vulnerability.