Android Bluetooth Stack Privilege Escalation Vulnerability

A use-after-free vulnerability has been identified in the Bluetooth stack component of Android, specifically within the BNEP (Bluetooth Network Encapsulation Protocol) utility functions. This vulnerability allows for unauthorized code execution, potentially leading to local privilege escalation. The issue arises from memory management flaws where freed memory is improperly accessed, creating opportunities for exploitation. Notably, this vulnerability does not require any additional execution privileges or user interaction to be exploited.

Impact

Exploitation of this vulnerability could result in unauthorized code execution with elevated privileges, allowing a user to gain higher access rights on the device.

Reproduction

The vulnerability can be reproduced by building and running the Android Open Source Project (AOSP) with the Fluoride Bluetooth stack. This can be done on a Debian-based Linux distribution, such as Debian Bullseye or Ubuntu 20.10 or newer. After setting up the necessary build environment and dependencies, the Bluetooth module can be compiled and executed. The vulnerability is triggered when the Bluetooth stack processes certain BNEP packets, taking advantage of the use-after-free condition to execute arbitrary code.

Remediation

Users can update to the March 2025 security patch level, which addresses this vulnerability. Instructions for checking and updating the Android version are available on the Google Play support site.