{"id":"ASB-A-181860042","details":"In handle_rc_metamsg_cmd of btif_rc.cc, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution over Bluetooth with no additional execution privileges needed. User interaction is not needed for exploitation.","aliases":["A-181860042","CVE-2021-0507"],"modified":"2026-04-30T15:48:46.890647Z","published":"2021-06-01T00:00:00Z","references":[{"type":"ADVISORY","url":"https://source.android.com/security/bulletin/2021-06-01"},{"type":"FIX","url":"https://android.googlesource.com/platform/system/bt/+/4deeb022c7efe39e9ce34d9373ba900d9ed2741f"}],"affected":[{"package":{"name":"platform/system/bt","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"8.1:0"},{"fixed":"8.1:2021-06-01"}]}],"versions":["8.1"],"ecosystem_specific":{"types":["RCE"],"fixes":["https://android.googlesource.com/platform/system/bt/+/4c9874d7318114a925a1397e4d50c3adf4466cb7"],"severity":"Critical","vanir_signatures":[{"target":{"file":"stack/avrc/avrc_pars_tg.cc","function":"avrc_ctrl_pars_vendor_cmd"},"source":"https://android.googlesource.com/platform/system/bt/+/4c9874d7318114a925a1397e4d50c3adf4466cb7","signature_type":"Function","digest":{"length":975,"function_hash":"30384822939121190592029269469687542709"},"id":"ASB-A-181860042-20bf1869","signature_version":"v1","deprecated":false},{"target":{"file":"stack/avrc/avrc_pars_tg.cc"},"source":"https://android.googlesource.com/platform/system/bt/+/4c9874d7318114a925a1397e4d50c3adf4466cb7","signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["209051549421598997493608576163822465820","185812421405846509614530449186919713536","297828353395766766323788684671303738769","103601486506301070812485503618532030479"]},"id":"ASB-A-181860042-6ca4b5d6","signature_version":"v1","deprecated":false}],"spl":"2021-06-01"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-181860042.json"}},{"package":{"name":"platform/system/bt","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"9:0"},{"fixed":"9:2021-06-01"}]}],"versions":["9"],"ecosystem_specific":{"types":["RCE"],"fixes":["https://android.googlesource.com/platform/system/bt/+/2901716406e6919a286d73eb596c5e16e117dca0"],"severity":"Critical","vanir_signatures":[{"target":{"file":"stack/avrc/avrc_pars_tg.cc","function":"avrc_ctrl_pars_vendor_cmd"},"source":"https://android.googlesource.com/platform/system/bt/+/2901716406e6919a286d73eb596c5e16e117dca0","signature_type":"Function","digest":{"length":975,"function_hash":"30384822939121190592029269469687542709"},"id":"ASB-A-181860042-28e3190e","signature_version":"v1","deprecated":false},{"target":{"file":"stack/avrc/avrc_pars_tg.cc"},"source":"https://android.googlesource.com/platform/system/bt/+/2901716406e6919a286d73eb596c5e16e117dca0","signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["209051549421598997493608576163822465820","185812421405846509614530449186919713536","297828353395766766323788684671303738769","103601486506301070812485503618532030479"]},"id":"ASB-A-181860042-cbe888c8","signature_version":"v1","deprecated":false}],"spl":"2021-06-01"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-181860042.json"}},{"package":{"name":"platform/system/bt","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"10:0"},{"fixed":"10:2021-06-01"}]}],"versions":["10"],"ecosystem_specific":{"types":["RCE"],"fixes":["https://android.googlesource.com/platform/system/bt/+/d667a2f6d043d34ee59174b7036e695ad0953ab4"],"severity":"Critical","vanir_signatures":[{"target":{"file":"stack/avrc/avrc_pars_tg.cc"},"source":"https://android.googlesource.com/platform/system/bt/+/d667a2f6d043d34ee59174b7036e695ad0953ab4","signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["209051549421598997493608576163822465820","185812421405846509614530449186919713536","297828353395766766323788684671303738769","103601486506301070812485503618532030479"]},"id":"ASB-A-181860042-3d4232cc","signature_version":"v1","deprecated":false},{"target":{"file":"stack/avrc/avrc_pars_tg.cc","function":"avrc_ctrl_pars_vendor_cmd"},"source":"https://android.googlesource.com/platform/system/bt/+/d667a2f6d043d34ee59174b7036e695ad0953ab4","signature_type":"Function","digest":{"length":975,"function_hash":"30384822939121190592029269469687542709"},"id":"ASB-A-181860042-8fdefab9","signature_version":"v1","deprecated":false}],"spl":"2021-06-01"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-181860042.json"}},{"package":{"name":"platform/system/bt","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"11:0"},{"fixed":"11:2021-06-01"}]}],"versions":["11"],"ecosystem_specific":{"types":["RCE"],"fixes":["https://android.googlesource.com/platform/system/bt/+/4deeb022c7efe39e9ce34d9373ba900d9ed2741f"],"severity":"Critical","vanir_signatures":[{"target":{"file":"stack/avrc/avrc_pars_tg.cc"},"source":"https://android.googlesource.com/platform/system/bt/+/4deeb022c7efe39e9ce34d9373ba900d9ed2741f","signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["229747177241047671136006243129545939521","194936249656141924618396571107547943231","297828353395766766323788684671303738769","103601486506301070812485503618532030479"]},"id":"ASB-A-181860042-6190d499","signature_version":"v1","deprecated":false},{"target":{"file":"stack/avrc/avrc_pars_tg.cc","function":"avrc_ctrl_pars_vendor_cmd"},"source":"https://android.googlesource.com/platform/system/bt/+/4deeb022c7efe39e9ce34d9373ba900d9ed2741f","signature_type":"Function","digest":{"length":1021,"function_hash":"335736388932527993337630848351454608353"},"id":"ASB-A-181860042-bd8c2c67","signature_version":"v1","deprecated":false}],"spl":"2021-06-01"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-181860042.json"}}],"schema_version":"1.7.5"}