Android Bluetooth Module Out-of-Bounds Read Vulnerability in SDP Discovery Component

A vulnerability allowing a possible out-of-bounds read has been identified in the Android Bluetooth module, specifically within the Service Discovery Protocol (SDP) component. This issue arises from a missing bounds check in the 'add_attr' function of 'sdp_discovery.cc', which could lead to remote information disclosure without requiring additional execution privileges or user interaction. The vulnerability affects several Android versions.

Impact

Exploitation of this vulnerability could result in unauthorized remote information disclosure.

Reproduction

The vulnerability can be reproduced by building and running the Android Open Source Project (AOSP) with the Fluoride Bluetooth stack. This can be done on a Debian-based distribution, such as Debian Bullseye or Ubuntu 20.10 or newer, with Clang 11 or 12, Flex 2.6.x, and Bison 3.x.x. After setting up the build environment and downloading the necessary dependencies, the Bluetooth module can be compiled and the 'btadapterd' service can be run with the 'hci' option to simulate a Bluetooth interface, where the vulnerability can be triggered by the Bluetooth stack processing SDP attributes.

Remediation

Users can update to the June 2025 security patch level, which addresses this vulnerability. Instructions for checking and updating Android versions are available on the Android Support website.