Android Bluetooth Stack Arbitrary Code Execution Vulnerability

A use-after-free vulnerability has been identified in the Android Bluetooth stack, specifically within the 'hidd_check_config_done' function of 'hidd_conn.cc'. This vulnerability creates a potential for arbitrary code execution, which could lead to unauthorized access to local information. The issue does not require any additional execution privileges or user interaction for exploitation.

Impact

Exploitation of this vulnerability allows for arbitrary code execution within the context of the Bluetooth stack, which could be used to manipulate Bluetooth functionality or access sensitive information.

Reproduction

The vulnerability can be reproduced by building and running the Android Open Source Project (AOSP) with the 'Fluoride' Bluetooth stack. This can be done on a Debian-based distribution, such as Debian Bullseye or Ubuntu 20.10 or newer, by installing the necessary build dependencies and then compiling the Bluetooth module. Once built, the 'btadapterd' service can be run with the 'INIT_gd_hci=true' flag, which will activate the vulnerable 'hidd_check_config_done' function.

Remediation

Users can update to the March 2025 security patch level, which addresses this vulnerability.