{"id":"ASB-A-232023771","details":"In avdt_msg_asmbl of avdt_msg.cc, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution over Bluetooth with no additional execution privileges needed. User interaction is not needed for exploitation.","aliases":["A-232023771","CVE-2022-20411"],"modified":"2026-05-25T16:46:24.913870386Z","published":"2022-12-01T00:00:00Z","references":[{"type":"ADVISORY","url":"https://source.android.com/security/bulletin/2022-12-01"},{"type":"FIX","url":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/9f083ec910ec38ba7ba04443b126f66ef33972b4"},{"type":"FIX","url":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/493fcadb4111608f364df2b9c31bdc0234ac527a"}],"affected":[{"package":{"name":"platform/system/bt","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"10:0"},{"fixed":"10:2022-12-01"}]}],"versions":["10"],"ecosystem_specific":{"vanir_signatures":[{"source":"https://android.googlesource.com/platform/system/bt/+/a4311b284639bbd2c6c2c72d35d8444d40fb2d12","signature_type":"Function","signature_version":"v1","target":{"file":"stack/avdt/avdt_msg.cc","function":"avdt_msg_asmbl"},"digest":{"length":2269,"function_hash":"31651622261620113666886604573074119865"},"id":"ASB-A-232023771-24b295aa","deprecated":false},{"digest":{"length":2079,"function_hash":"215894916147553160587423900392199587617"},"signature_type":"Function","signature_version":"v1","target":{"file":"stack/avct/avct_lcb_act.cc","function":"avct_lcb_msg_asmbl"},"source":"https://android.googlesource.com/platform/system/bt/+/a4311b284639bbd2c6c2c72d35d8444d40fb2d12","id":"ASB-A-232023771-321a029d","deprecated":false},{"source":"https://android.googlesource.com/platform/system/bt/+/07cc1fe9b4523f95c13c247a795bdf0b36a1aa4f","signature_type":"Line","signature_version":"v1","target":{"file":"stack/avdt/avdt_msg.cc"},"digest":{"line_hashes":["70120848165161273781258461032605334239","103868281249314003293679143785339859589","278968636750065012184485026436445418276","55401410856980922119019680032701604430"],"threshold":0.9},"id":"ASB-A-232023771-4166c182","deprecated":false},{"source":"https://android.googlesource.com/platform/system/bt/+/a4311b284639bbd2c6c2c72d35d8444d40fb2d12","signature_type":"Line","signature_version":"v1","target":{"file":"stack/avct/avct_lcb_act.cc"},"deprecated":false,"id":"ASB-A-232023771-815881f1","digest":{"line_hashes":["173584054749471213542059671671466609370","218272014920384491034865323393805809107","213647027907871969227418315119428298185","9928675793482950772906846926328496605","299567162013897171384820515506672829954","303197354449278179794684350283057267623","28531630504339552654429710756820330137","327271937418312844391748711278984965058"],"threshold":0.9}},{"digest":{"length":2129,"function_hash":"160853215269139646123064996311532757850"},"signature_type":"Function","signature_version":"v1","target":{"file":"stack/avdt/avdt_msg.cc","function":"avdt_msg_asmbl"},"deprecated":false,"id":"ASB-A-232023771-b21cbf2c","source":"https://android.googlesource.com/platform/system/bt/+/07cc1fe9b4523f95c13c247a795bdf0b36a1aa4f"},{"digest":{"line_hashes":["70120848165161273781258461032605334239","215507649221945670645596187650782013637","23877860105343681440705075309397570792","310567960305520675214271535015287563817","88934782529621464372846023753636423842","219719858263803852531280969617611252898","137818675491998040360743622437184545376","265765237446791770549679568004270914313"],"threshold":0.9},"signature_type":"Line","signature_version":"v1","target":{"file":"stack/avdt/avdt_msg.cc"},"source":"https://android.googlesource.com/platform/system/bt/+/a4311b284639bbd2c6c2c72d35d8444d40fb2d12","id":"ASB-A-232023771-f7b85ac5","deprecated":false}],"fixes":["https://android.googlesource.com/platform/system/bt/+/07cc1fe9b4523f95c13c247a795bdf0b36a1aa4f","https://android.googlesource.com/platform/system/bt/+/a4311b284639bbd2c6c2c72d35d8444d40fb2d12"],"spl":"2022-12-01","severity":"Critical","types":["RCE"]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-232023771.json"}},{"package":{"name":"platform/system/bt","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"11:0"},{"fixed":"11:2022-12-01"}]}],"versions":["11"],"ecosystem_specific":{"vanir_signatures":[{"deprecated":false,"signature_type":"Function","signature_version":"v1","target":{"file":"stack/avdt/avdt_msg.cc","function":"avdt_msg_asmbl"},"source":"https://android.googlesource.com/platform/system/bt/+/240baf57ea9a112c153af0b53082c6951c636653","id":"ASB-A-232023771-1ac3aad0","digest":{"length":2269,"function_hash":"31651622261620113666886604573074119865"}},{"deprecated":false,"signature_type":"Function","signature_version":"v1","target":{"file":"stack/avct/avct_lcb_act.cc","function":"avct_lcb_msg_asmbl"},"source":"https://android.googlesource.com/platform/system/bt/+/240baf57ea9a112c153af0b53082c6951c636653","id":"ASB-A-232023771-a30ae265","digest":{"length":2079,"function_hash":"215894916147553160587423900392199587617"}},{"digest":{"line_hashes":["70120848165161273781258461032605334239","215507649221945670645596187650782013637","23877860105343681440705075309397570792","310567960305520675214271535015287563817","88934782529621464372846023753636423842","219719858263803852531280969617611252898","137818675491998040360743622437184545376","265765237446791770549679568004270914313"],"threshold":0.9},"signature_type":"Line","signature_version":"v1","target":{"file":"stack/avdt/avdt_msg.cc"},"source":"https://android.googlesource.com/platform/system/bt/+/240baf57ea9a112c153af0b53082c6951c636653","id":"ASB-A-232023771-ad6e5cb0","deprecated":false},{"source":"https://android.googlesource.com/platform/system/bt/+/240baf57ea9a112c153af0b53082c6951c636653","signature_type":"Line","signature_version":"v1","target":{"file":"stack/avct/avct_lcb_act.cc"},"deprecated":false,"id":"ASB-A-232023771-c52f64b9","digest":{"line_hashes":["173584054749471213542059671671466609370","218272014920384491034865323393805809107","213647027907871969227418315119428298185","9928675793482950772906846926328496605","299567162013897171384820515506672829954","303197354449278179794684350283057267623","28531630504339552654429710756820330137","327271937418312844391748711278984965058"],"threshold":0.9}},{"source":"https://android.googlesource.com/platform/system/bt/+/324c3065f863b8484847bbdfd91ef4709d407c8c","signature_type":"Line","signature_version":"v1","target":{"file":"stack/avdt/avdt_msg.cc"},"deprecated":false,"id":"ASB-A-232023771-e07377b5","digest":{"line_hashes":["70120848165161273781258461032605334239","103868281249314003293679143785339859589","278968636750065012184485026436445418276","55401410856980922119019680032701604430"],"threshold":0.9}},{"source":"https://android.googlesource.com/platform/system/bt/+/324c3065f863b8484847bbdfd91ef4709d407c8c","signature_type":"Function","signature_version":"v1","target":{"file":"stack/avdt/avdt_msg.cc","function":"avdt_msg_asmbl"},"deprecated":false,"id":"ASB-A-232023771-ea12604b","digest":{"length":2129,"function_hash":"160853215269139646123064996311532757850"}}],"spl":"2022-12-01","severity":"Critical","fixes":["https://android.googlesource.com/platform/system/bt/+/324c3065f863b8484847bbdfd91ef4709d407c8c","https://android.googlesource.com/platform/system/bt/+/240baf57ea9a112c153af0b53082c6951c636653"],"types":["RCE"]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-232023771.json"}},{"package":{"name":"platform/system/bt","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"12:0"},{"fixed":"12:2022-12-01"}]}],"versions":["12"],"ecosystem_specific":{"vanir_signatures":[{"deprecated":false,"signature_type":"Function","signature_version":"v1","target":{"file":"stack/avct/avct_lcb_act.cc","function":"avct_lcb_msg_asmbl"},"source":"https://android.googlesource.com/platform/system/bt/+/62986e6a11a7340925d79c4282513aebc28da176","id":"ASB-A-232023771-285f19e5","digest":{"length":2079,"function_hash":"215894916147553160587423900392199587617"}},{"deprecated":false,"signature_type":"Function","signature_version":"v1","target":{"file":"stack/avdt/avdt_msg.cc","function":"avdt_msg_asmbl"},"source":"https://android.googlesource.com/platform/system/bt/+/a75b650a2a4b6b62be1ceb2040c598b0feb0dacb","id":"ASB-A-232023771-377d1e1d","digest":{"length":2129,"function_hash":"160853215269139646123064996311532757850"}},{"source":"https://android.googlesource.com/platform/system/bt/+/62986e6a11a7340925d79c4282513aebc28da176","signature_type":"Line","signature_version":"v1","target":{"file":"stack/avdt/avdt_msg.cc"},"digest":{"line_hashes":["70120848165161273781258461032605334239","215507649221945670645596187650782013637","23877860105343681440705075309397570792","310567960305520675214271535015287563817","88934782529621464372846023753636423842","219719858263803852531280969617611252898","137818675491998040360743622437184545376","265765237446791770549679568004270914313"],"threshold":0.9},"id":"ASB-A-232023771-6cef8960","deprecated":false},{"digest":{"length":2269,"function_hash":"31651622261620113666886604573074119865"},"signature_type":"Function","signature_version":"v1","target":{"file":"stack/avdt/avdt_msg.cc","function":"avdt_msg_asmbl"},"source":"https://android.googlesource.com/platform/system/bt/+/62986e6a11a7340925d79c4282513aebc28da176","id":"ASB-A-232023771-6f9faae4","deprecated":false},{"source":"https://android.googlesource.com/platform/system/bt/+/a75b650a2a4b6b62be1ceb2040c598b0feb0dacb","signature_type":"Line","signature_version":"v1","target":{"file":"stack/avdt/avdt_msg.cc"},"deprecated":false,"id":"ASB-A-232023771-a9d2d372","digest":{"line_hashes":["70120848165161273781258461032605334239","103868281249314003293679143785339859589","278968636750065012184485026436445418276","55401410856980922119019680032701604430"],"threshold":0.9}},{"source":"https://android.googlesource.com/platform/system/bt/+/62986e6a11a7340925d79c4282513aebc28da176","signature_type":"Line","signature_version":"v1","target":{"file":"stack/avct/avct_lcb_act.cc"},"deprecated":false,"id":"ASB-A-232023771-c106511b","digest":{"line_hashes":["299567162013897171384820515506672829954","303197354449278179794684350283057267623","28531630504339552654429710756820330137","327271937418312844391748711278984965058"],"threshold":0.9}}],"severity":"Critical","fixes":["https://android.googlesource.com/platform/system/bt/+/a75b650a2a4b6b62be1ceb2040c598b0feb0dacb","https://android.googlesource.com/platform/system/bt/+/62986e6a11a7340925d79c4282513aebc28da176"],"spl":"2022-12-01","types":["RCE"]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-232023771.json"}},{"package":{"name":"platform/packages/modules/Bluetooth","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"13:0"},{"fixed":"13:2022-12-01"}]}],"versions":["13"],"ecosystem_specific":{"vanir_signatures":[{"source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/ed9a843cf147bbfa1a80f2507769014958940eb4","signature_type":"Line","signature_version":"v1","target":{"file":"system/stack/avdt/avdt_msg.cc"},"deprecated":false,"id":"ASB-A-232023771-7977fdf2","digest":{"line_hashes":["70120848165161273781258461032605334239","103868281249314003293679143785339859589","278968636750065012184485026436445418276","55401410856980922119019680032701604430"],"threshold":0.9}},{"digest":{"length":2269,"function_hash":"31651622261620113666886604573074119865"},"signature_type":"Function","signature_version":"v1","target":{"file":"system/stack/avdt/avdt_msg.cc","function":"avdt_msg_asmbl"},"deprecated":false,"id":"ASB-A-232023771-9cacfddc","source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/2459b5ec5206850e493ce28bc8386a98b2170dfb"},{"deprecated":false,"signature_type":"Function","signature_version":"v1","target":{"file":"system/stack/avct/avct_lcb_act.cc","function":"avct_lcb_msg_asmbl"},"source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/2459b5ec5206850e493ce28bc8386a98b2170dfb","id":"ASB-A-232023771-c94e61f4","digest":{"length":2079,"function_hash":"215894916147553160587423900392199587617"}},{"source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/2459b5ec5206850e493ce28bc8386a98b2170dfb","signature_type":"Line","signature_version":"v1","target":{"file":"system/stack/avct/avct_lcb_act.cc"},"digest":{"line_hashes":["299567162013897171384820515506672829954","303197354449278179794684350283057267623","28531630504339552654429710756820330137","327271937418312844391748711278984965058"],"threshold":0.9},"id":"ASB-A-232023771-dac224cf","deprecated":false},{"digest":{"length":2129,"function_hash":"160853215269139646123064996311532757850"},"signature_type":"Function","signature_version":"v1","target":{"file":"system/stack/avdt/avdt_msg.cc","function":"avdt_msg_asmbl"},"source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/ed9a843cf147bbfa1a80f2507769014958940eb4","id":"ASB-A-232023771-f0b5ebf2","deprecated":false},{"digest":{"line_hashes":["70120848165161273781258461032605334239","215507649221945670645596187650782013637","23877860105343681440705075309397570792","310567960305520675214271535015287563817","88934782529621464372846023753636423842","219719858263803852531280969617611252898","137818675491998040360743622437184545376","265765237446791770549679568004270914313"],"threshold":0.9},"signature_type":"Line","signature_version":"v1","target":{"file":"system/stack/avdt/avdt_msg.cc"},"deprecated":false,"id":"ASB-A-232023771-f4290a62","source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/2459b5ec5206850e493ce28bc8386a98b2170dfb"}],"spl":"2022-12-01","severity":"Critical","fixes":["https://android.googlesource.com/platform/packages/modules/Bluetooth/+/ed9a843cf147bbfa1a80f2507769014958940eb4","https://android.googlesource.com/platform/packages/modules/Bluetooth/+/2459b5ec5206850e493ce28bc8386a98b2170dfb"],"types":["RCE"]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-232023771.json"}}],"schema_version":"1.7.5"}