{"id":"ASB-A-261068592","details":"In gatt_end_operation of gatt_utils.cc, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.","aliases":["A-261068592","CVE-2023-21250"],"modified":"2026-05-22T15:55:21.353668239Z","published":"2023-07-01T00:00:00Z","references":[{"type":"ADVISORY","url":"https://source.android.com/security/bulletin/2023-07-01"},{"type":"FIX","url":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/ec573bc83f1ed6722f7cb29431dcb2db7f10bf28"}],"affected":[{"package":{"name":"platform/packages/modules/Bluetooth","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"13-next:0"},{"fixed":"13-next:2023-07-01"}]}],"versions":["13-next"],"ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/packages/modules/Bluetooth/+/7236e4492470e30c129d01d521a7d218494725b4"],"types":["RCE"],"spl":"2023-07-01","severity":"Critical","vanir_signatures":[{"deprecated":false,"id":"ASB-A-261068592-be366593","digest":{"function_hash":"147527530172533466624622267759232095927","length":1711},"signature_version":"v1","source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/7236e4492470e30c129d01d521a7d218494725b4","signature_type":"Function","target":{"function":"gatt_end_operation","file":"system/stack/gatt/gatt_utils.cc"}},{"deprecated":false,"id":"ASB-A-261068592-ddf7625e","digest":{"threshold":0.9,"line_hashes":["165079517157126764450332025370767053702","68954298953311541198704172660533801470","18332213301413389718544589642577575988"]},"signature_version":"v1","source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/7236e4492470e30c129d01d521a7d218494725b4","signature_type":"Line","target":{"file":"system/stack/gatt/gatt_utils.cc"}}]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-261068592.json"}},{"package":{"name":"platform/system/bt","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"11:0"},{"fixed":"11:2023-07-01"}]}],"versions":["11"],"ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/system/bt/+/dd7298e982e4bbf0138a490562679c9a4a755200"],"types":["RCE"],"spl":"2023-07-01","severity":"Critical","vanir_signatures":[{"deprecated":false,"id":"ASB-A-261068592-0cc6e285","digest":{"function_hash":"324724727108349940384182174189829733316","length":1701},"signature_version":"v1","target":{"function":"gatt_end_operation","file":"stack/gatt/gatt_utils.cc"},"source":"https://android.googlesource.com/platform/system/bt/+/dd7298e982e4bbf0138a490562679c9a4a755200","signature_type":"Function"},{"deprecated":false,"id":"ASB-A-261068592-d0e1441b","digest":{"threshold":0.9,"line_hashes":["165079517157126764450332025370767053702","68954298953311541198704172660533801470","18332213301413389718544589642577575988"]},"signature_version":"v1","source":"https://android.googlesource.com/platform/system/bt/+/dd7298e982e4bbf0138a490562679c9a4a755200","signature_type":"Line","target":{"file":"stack/gatt/gatt_utils.cc"}}]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-261068592.json"}},{"package":{"name":"platform/system/bt","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"12:0"},{"fixed":"12:2023-07-01"}]}],"versions":["12"],"ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/system/bt/+/dd7298e982e4bbf0138a490562679c9a4a755200"],"types":["RCE"],"spl":"2023-07-01","severity":"Critical","vanir_signatures":[{"deprecated":false,"id":"ASB-A-261068592-7d66e178","digest":{"function_hash":"324724727108349940384182174189829733316","length":1701},"signature_version":"v1","signature_type":"Function","target":{"function":"gatt_end_operation","file":"stack/gatt/gatt_utils.cc"},"source":"https://android.googlesource.com/platform/system/bt/+/dd7298e982e4bbf0138a490562679c9a4a755200"},{"deprecated":false,"id":"ASB-A-261068592-e4612ec5","digest":{"threshold":0.9,"line_hashes":["165079517157126764450332025370767053702","68954298953311541198704172660533801470","18332213301413389718544589642577575988"]},"signature_version":"v1","target":{"file":"stack/gatt/gatt_utils.cc"},"source":"https://android.googlesource.com/platform/system/bt/+/dd7298e982e4bbf0138a490562679c9a4a755200","signature_type":"Line"}]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-261068592.json"}},{"package":{"name":"platform/system/bt","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"12L:0"},{"fixed":"12L:2023-07-01"}]}],"versions":["12L"],"ecosystem_specific":{"types":["RCE"],"fixes":["https://android.googlesource.com/platform/system/bt/+/dd7298e982e4bbf0138a490562679c9a4a755200"],"spl":"2023-07-01","severity":"Critical","vanir_signatures":[{"deprecated":false,"id":"ASB-A-261068592-5a55bbd1","digest":{"function_hash":"324724727108349940384182174189829733316","length":1701},"signature_version":"v1","target":{"function":"gatt_end_operation","file":"stack/gatt/gatt_utils.cc"},"source":"https://android.googlesource.com/platform/system/bt/+/dd7298e982e4bbf0138a490562679c9a4a755200","signature_type":"Function"},{"deprecated":false,"id":"ASB-A-261068592-95946b6c","digest":{"threshold":0.9,"line_hashes":["165079517157126764450332025370767053702","68954298953311541198704172660533801470","18332213301413389718544589642577575988"]},"signature_version":"v1","target":{"file":"stack/gatt/gatt_utils.cc"},"source":"https://android.googlesource.com/platform/system/bt/+/dd7298e982e4bbf0138a490562679c9a4a755200","signature_type":"Line"}]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-261068592.json"}},{"package":{"name":"platform/packages/modules/Bluetooth","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"13:0"},{"fixed":"13:2023-07-01"}]}],"versions":["13"],"ecosystem_specific":{"types":["RCE"],"fixes":["https://android.googlesource.com/platform/packages/modules/Bluetooth/+/7236e4492470e30c129d01d521a7d218494725b4"],"spl":"2023-07-01","severity":"Critical","vanir_signatures":[{"deprecated":false,"id":"ASB-A-261068592-f5efb08d","digest":{"threshold":0.9,"line_hashes":["165079517157126764450332025370767053702","68954298953311541198704172660533801470","18332213301413389718544589642577575988"]},"signature_version":"v1","signature_type":"Line","target":{"file":"system/stack/gatt/gatt_utils.cc"},"source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/7236e4492470e30c129d01d521a7d218494725b4"},{"deprecated":false,"id":"ASB-A-261068592-f829a556","digest":{"function_hash":"147527530172533466624622267759232095927","length":1711},"signature_version":"v1","target":{"function":"gatt_end_operation","file":"system/stack/gatt/gatt_utils.cc"},"source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/7236e4492470e30c129d01d521a7d218494725b4","signature_type":"Function"}]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-261068592.json"}}],"schema_version":"1.7.5"}