Android Bluetooth Module Use-After-Free Vulnerability Leading to Local Privilege Escalation
Vulnerability
A use-after-free vulnerability has been identified in the Android Bluetooth module, specifically in the 'Fluoride' Bluetooth stack. This vulnerability allows for the execution of arbitrary code, which could lead to local privilege escalation. The issue arises from log statements that may have freed structures being accessed again, creating the potential for memory corruption. Exploitation of this vulnerability does not require any additional execution privileges or user interaction.
Impact
Exploitation of this vulnerability could result in unauthorized access to elevated privileges, allowing a user to perform actions or access resources that are normally restricted.
Reproduction
The vulnerability can be reproduced by building and running the Android Open Source Project (AOSP) with the 'Fluoride' Bluetooth stack. This can be done on a Debian-based distribution using Clang-11 or Clang-12, after installing the necessary build dependencies. Once the Bluetooth module is compiled, the 'btadapterd' service can be executed, which will trigger the vulnerability by interacting with the Bluetooth stack in a way that exploits the use-after-free condition.
Remediation
Users can update to the March 2025 security patch level, which addresses this vulnerability.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.