Android Bluetooth Stack Remote Code Execution Vulnerability

A remote code execution vulnerability has been identified in the Android Bluetooth stack, specifically within the Hands-Free Client (HFC) module. This issue arises from a use-after-free error in the HFC callback initialization function, which can be exploited to execute arbitrary code remotely. Notably, this vulnerability does not require any additional privileges or user interaction for exploitation.

Impact

Exploitation of this vulnerability allows for remote code execution on the affected device.

Reproduction

The vulnerability can be reproduced by building and running the Android Open Source Project (AOSP) with the Fluoride Bluetooth stack. After compiling the Bluetooth module with the necessary dependencies and staging the build environment, the Bluetooth adapter daemon can be executed. The vulnerability is triggered when the Hands-Free Client initiates a discovery process, leading to the use-after-free condition that allows for remote code execution.

Remediation

Users can update to the November 2025 security patch level, which addresses this vulnerability. Device manufacturers should include this update and set the security patch level to 2025-11-01.