{"id":"ASB-A-230494481","details":"In l2cble_process_sig_cmd of l2c_ble.cc, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution over Bluetooth with no additional execution privileges needed. User interaction is not needed for exploitation.","aliases":["A-230494481","CVE-2022-20345"],"modified":"2026-04-21T15:25:42.831358Z","published":"2022-08-01T00:00:00Z","references":[{"type":"ADVISORY","url":"https://source.android.com/security/bulletin/2022-08-01"},{"type":"FIX","url":"https://android.googlesource.com/platform/system/bt/+/e0dd01b536919d5407968eae341b72fa10ec0b7d"},{"type":"FIX","url":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/0b7fe01dd050fa4155b1cd802d901b4c9eccdfef"}],"affected":[{"package":{"name":"platform/system/bt","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"12:0"},{"fixed":"12:2022-08-01"}]}],"versions":["12"],"ecosystem_specific":{"vanir_signatures":[{"digest":{"threshold":0.9,"line_hashes":["55705507659901056751541525100410692467","129612777462826108300575791623030211462","218160243998060500243641945815635237332","15727238478529142005183987233395361709","189428048400701381172458269065605979516","185168886266552122974993543782533786385"]},"deprecated":false,"target":{"file":"stack/l2cap/l2c_ble.cc"},"signature_version":"v1","id":"ASB-A-230494481-4ece4e7d","source":"https://android.googlesource.com/platform/system/bt/+/d24b9c262039347b30c1ec41d38fa5c598a9fbd7","signature_type":"Line"},{"digest":{"length":15253,"function_hash":"84986807421059699936917941225242500392"},"deprecated":false,"target":{"file":"stack/l2cap/l2c_ble.cc","function":"l2cble_process_sig_cmd"},"signature_version":"v1","id":"ASB-A-230494481-f122d02b","source":"https://android.googlesource.com/platform/system/bt/+/d24b9c262039347b30c1ec41d38fa5c598a9fbd7","signature_type":"Function"}],"types":["RCE"],"fixes":["https://android.googlesource.com/platform/system/bt/+/d24b9c262039347b30c1ec41d38fa5c598a9fbd7"],"spl":"2022-08-01","severity":"Critical"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-230494481.json"}},{"package":{"name":"platform/system/bt","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"12L:0"},{"fixed":"12L:2022-08-01"}]}],"versions":["12L"],"ecosystem_specific":{"vanir_signatures":[{"digest":{"threshold":0.9,"line_hashes":["55705507659901056751541525100410692467","129612777462826108300575791623030211462","218160243998060500243641945815635237332","15727238478529142005183987233395361709","189428048400701381172458269065605979516","185168886266552122974993543782533786385"]},"deprecated":false,"target":{"file":"stack/l2cap/l2c_ble.cc"},"signature_version":"v1","id":"ASB-A-230494481-9f1fd7cd","source":"https://android.googlesource.com/platform/system/bt/+/d24b9c262039347b30c1ec41d38fa5c598a9fbd7","signature_type":"Line"},{"digest":{"length":15253,"function_hash":"84986807421059699936917941225242500392"},"deprecated":false,"target":{"file":"stack/l2cap/l2c_ble.cc","function":"l2cble_process_sig_cmd"},"signature_version":"v1","id":"ASB-A-230494481-da73fd51","source":"https://android.googlesource.com/platform/system/bt/+/d24b9c262039347b30c1ec41d38fa5c598a9fbd7","signature_type":"Function"}],"types":["RCE"],"fixes":["https://android.googlesource.com/platform/system/bt/+/d24b9c262039347b30c1ec41d38fa5c598a9fbd7"],"spl":"2022-08-01","severity":"Critical"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-230494481.json"}}],"schema_version":"1.7.5"}