{"id":"ASB-A-230867224","details":"In avct_lcb_msg_asmbl of avct_lcb_act.cc, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege over Bluetooth with no additional execution privileges needed. User interaction is not needed for exploitation.","aliases":["A-230867224","CVE-2022-20469"],"modified":"2026-04-17T15:55:28.020024Z","published":"2022-12-01T00:00:00Z","references":[{"type":"ADVISORY","url":"https://source.android.com/security/bulletin/2022-12-01"},{"type":"FIX","url":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/6b4acc4d439bf6e66c520819de068eb486724e05"}],"affected":[{"package":{"name":"platform/system/bt","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"10:0"},{"fixed":"10:2022-12-01"}]}],"versions":["10"],"ecosystem_specific":{"spl":"2022-12-01","severity":"High","types":["RCE"],"fixes":["https://android.googlesource.com/platform/system/bt/+/769f55450bd2eb94ddb9080f730e404de7716bda"],"vanir_signatures":[{"id":"ASB-A-230867224-4c8c42f7","digest":{"threshold":0.9,"line_hashes":["173584054749471213542059671671466609370","218272014920384491034865323393805809107","213647027907871969227418315119428298185","9928675793482950772906846926328496605","315874836010301295655053817557664409089","234310698468177673899024177910053053341","131546008756469857604060041408456869966","52641849214879142077314346935312098238"]},"source":"https://android.googlesource.com/platform/system/bt/+/769f55450bd2eb94ddb9080f730e404de7716bda","target":{"file":"stack/avct/avct_lcb_act.cc"},"signature_type":"Line","deprecated":false,"signature_version":"v1"},{"id":"ASB-A-230867224-8cf5a75b","digest":{"length":2079,"function_hash":"215894916147553160587423900392199587617"},"source":"https://android.googlesource.com/platform/system/bt/+/769f55450bd2eb94ddb9080f730e404de7716bda","target":{"file":"stack/avct/avct_lcb_act.cc","function":"avct_lcb_msg_asmbl"},"signature_type":"Function","deprecated":false,"signature_version":"v1"}]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-230867224.json"}},{"package":{"name":"platform/system/bt","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"11:0"},{"fixed":"11:2022-12-01"}]}],"versions":["11"],"ecosystem_specific":{"spl":"2022-12-01","severity":"High","types":["RCE"],"fixes":["https://android.googlesource.com/platform/system/bt/+/f67ea88c64d62e81c9a804c67ff06c52a6920d39"],"vanir_signatures":[{"id":"ASB-A-230867224-9554efac","digest":{"length":2079,"function_hash":"215894916147553160587423900392199587617"},"source":"https://android.googlesource.com/platform/system/bt/+/f67ea88c64d62e81c9a804c67ff06c52a6920d39","target":{"file":"stack/avct/avct_lcb_act.cc","function":"avct_lcb_msg_asmbl"},"signature_type":"Function","deprecated":false,"signature_version":"v1"},{"id":"ASB-A-230867224-fb7dc3b0","digest":{"threshold":0.9,"line_hashes":["173584054749471213542059671671466609370","218272014920384491034865323393805809107","213647027907871969227418315119428298185","9928675793482950772906846926328496605","315874836010301295655053817557664409089","234310698468177673899024177910053053341","131546008756469857604060041408456869966","52641849214879142077314346935312098238"]},"source":"https://android.googlesource.com/platform/system/bt/+/f67ea88c64d62e81c9a804c67ff06c52a6920d39","target":{"file":"stack/avct/avct_lcb_act.cc"},"signature_type":"Line","deprecated":false,"signature_version":"v1"}]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-230867224.json"}},{"package":{"name":"platform/system/bt","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"12:0"},{"fixed":"12:2022-12-01"}]}],"versions":["12"],"ecosystem_specific":{"spl":"2022-12-01","severity":"High","types":["RCE"],"fixes":["https://android.googlesource.com/platform/system/bt/+/2992109ab975def57192c5e3d40078e69b1e8717"],"vanir_signatures":[{"id":"ASB-A-230867224-11d2a2f6","digest":{"length":2079,"function_hash":"215894916147553160587423900392199587617"},"source":"https://android.googlesource.com/platform/system/bt/+/2992109ab975def57192c5e3d40078e69b1e8717","target":{"file":"stack/avct/avct_lcb_act.cc","function":"avct_lcb_msg_asmbl"},"signature_type":"Function","deprecated":false,"signature_version":"v1"},{"id":"ASB-A-230867224-ace0e056","digest":{"threshold":0.9,"line_hashes":["315874836010301295655053817557664409089","234310698468177673899024177910053053341","131546008756469857604060041408456869966","52641849214879142077314346935312098238"]},"source":"https://android.googlesource.com/platform/system/bt/+/2992109ab975def57192c5e3d40078e69b1e8717","target":{"file":"stack/avct/avct_lcb_act.cc"},"signature_type":"Line","deprecated":false,"signature_version":"v1"}]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-230867224.json"}},{"package":{"name":"platform/system/bt","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"12L:0"},{"fixed":"12L:2022-12-01"}]}],"versions":["12L"],"ecosystem_specific":{"spl":"2022-12-01","severity":"High","types":["RCE"],"fixes":["https://android.googlesource.com/platform/system/bt/+/2992109ab975def57192c5e3d40078e69b1e8717"],"vanir_signatures":[{"id":"ASB-A-230867224-c8721c22","digest":{"threshold":0.9,"line_hashes":["315874836010301295655053817557664409089","234310698468177673899024177910053053341","131546008756469857604060041408456869966","52641849214879142077314346935312098238"]},"source":"https://android.googlesource.com/platform/system/bt/+/2992109ab975def57192c5e3d40078e69b1e8717","target":{"file":"stack/avct/avct_lcb_act.cc"},"signature_type":"Line","deprecated":false,"signature_version":"v1"},{"id":"ASB-A-230867224-d989ff4f","digest":{"length":2079,"function_hash":"215894916147553160587423900392199587617"},"source":"https://android.googlesource.com/platform/system/bt/+/2992109ab975def57192c5e3d40078e69b1e8717","target":{"file":"stack/avct/avct_lcb_act.cc","function":"avct_lcb_msg_asmbl"},"signature_type":"Function","deprecated":false,"signature_version":"v1"}]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-230867224.json"}},{"package":{"name":"platform/packages/modules/Bluetooth","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"13:0"},{"fixed":"13:2022-12-01"}]}],"versions":["13"],"ecosystem_specific":{"spl":"2022-12-01","severity":"High","types":["RCE"],"fixes":["https://android.googlesource.com/platform/packages/modules/Bluetooth/+/6b4acc4d439bf6e66c520819de068eb486724e05"],"vanir_signatures":[{"id":"ASB-A-230867224-52c0fda8","digest":{"threshold":0.9,"line_hashes":["315874836010301295655053817557664409089","234310698468177673899024177910053053341","131546008756469857604060041408456869966","52641849214879142077314346935312098238"]},"source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/6b4acc4d439bf6e66c520819de068eb486724e05","target":{"file":"system/stack/avct/avct_lcb_act.cc"},"signature_type":"Line","deprecated":false,"signature_version":"v1"},{"id":"ASB-A-230867224-ee64cc06","digest":{"length":2079,"function_hash":"215894916147553160587423900392199587617"},"source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/6b4acc4d439bf6e66c520819de068eb486724e05","target":{"file":"system/stack/avct/avct_lcb_act.cc","function":"avct_lcb_msg_asmbl"},"signature_type":"Function","deprecated":false,"signature_version":"v1"}]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-230867224.json"}}],"schema_version":"1.7.5"}